whitelist data & mxc URIs on img tags: readds PR #333 now that punkave/sanitize-html#137 has landed

This commit is contained in:
Matthew Hodgson 2017-02-19 03:04:42 +02:00
parent 5ac76acc05
commit 2db53c2284
2 changed files with 6 additions and 6 deletions

View file

@ -68,7 +68,7 @@
"react-addons-css-transition-group": "15.3.2",
"react-dom": "^15.4.0",
"react-gemini-scrollbar": "matrix-org/react-gemini-scrollbar#5e97aef",
"sanitize-html": "^1.11.1",
"sanitize-html": "^1.14.1",
"text-encoding-utf-8": "^1.0.1",
"velocity-vector": "vector-im/velocity#059e3b2",
"whatwg-fetch": "^1.0.0"

View file

@ -87,7 +87,7 @@ var sanitizeHtmlParams = {
// deliberately no h1/h2 to stop people shouting.
'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
'nl', 'li', 'b', 'i', 'u', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div',
'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre'
'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre', 'img',
],
allowedAttributes: {
// custom ones first:
@ -102,10 +102,10 @@ var sanitizeHtmlParams = {
// URL schemes we permit
allowedSchemes: ['http', 'https', 'ftp', 'mailto'],
// DO NOT USE. sanitize-html allows all URL starting with '//'
// so this will always allow links to whatever scheme the
// host page is served over.
allowedSchemesByTag: {},
allowedSchemesByTag: {
img: [ 'data', 'mxc' ],
},
allowProtocolRelative: false,
transformTags: { // custom to matrix
// add blank targets to all hyperlinks except vector URLs