Update to support data uri in src attribute of image tag

This commit is contained in:
Wu Cheng-Han 2016-08-15 11:00:02 +08:00
parent 9bf7b92707
commit ecd7218917

View file

@ -2,6 +2,8 @@
var whiteListAttr = ['id', 'class', 'style']; var whiteListAttr = ['id', 'class', 'style'];
// allow link starts with '.', '/' and custom protocol with '://' // allow link starts with '.', '/' and custom protocol with '://'
var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/; var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/;
// allow data uri, from https://gist.github.com/bgrins/6194623
var dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@\/?%\s]*)\s*$/i;
// custom white list // custom white list
var whiteList = filterXSS.whiteList; var whiteList = filterXSS.whiteList;
// allow ol specify start number // allow ol specify start number
@ -32,6 +34,10 @@ var filterXSSOptions = {
if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) { if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) {
return name + '="' + filterXSS.escapeAttrValue(value) + '"'; return name + '="' + filterXSS.escapeAttrValue(value) + '"';
} }
// allow data uri in img src
if (isWhiteAttr && (tag == "img" && name === 'src') && dataUriRegex.test(value)) {
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
}
}, },
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) { onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
// allow attr start with 'data-' or in the whiteListAttr // allow attr start with 'data-' or in the whiteListAttr