Update to support data uri in src attribute of image tag
This commit is contained in:
Wu Cheng-Han
parent
9bf7b92707
commit
ecd7218917
1 changed files with 6 additions and 0 deletions
|
|
@ -2,6 +2,8 @@
|
|||
var whiteListAttr = ['id', 'class', 'style'];
|
||||
// allow link starts with '.', '/' and custom protocol with '://'
|
||||
var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/;
|
||||
// allow data uri, from https://gist.github.com/bgrins/6194623
|
||||
var dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@\/?%\s]*)\s*$/i;
|
||||
// custom white list
|
||||
var whiteList = filterXSS.whiteList;
|
||||
// allow ol specify start number
|
||||
|
|
@ -32,6 +34,10 @@ var filterXSSOptions = {
|
|||
if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) {
|
||||
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
||||
}
|
||||
// allow data uri in img src
|
||||
if (isWhiteAttr && (tag == "img" && name === 'src') && dataUriRegex.test(value)) {
|
||||
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
||||
}
|
||||
},
|
||||
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
|
||||
// allow attr start with 'data-' or in the whiteListAttr
|
||||
|
|
|
|||
Loading…
Reference in a new issue