whitelist data & mxc URIs on img tags: readds PR #333 now that punkave/sanitize-html#137 has landed
This commit is contained in:
parent
5ac76acc05
commit
2db53c2284
2 changed files with 6 additions and 6 deletions
|
@ -68,7 +68,7 @@
|
|||
"react-addons-css-transition-group": "15.3.2",
|
||||
"react-dom": "^15.4.0",
|
||||
"react-gemini-scrollbar": "matrix-org/react-gemini-scrollbar#5e97aef",
|
||||
"sanitize-html": "^1.11.1",
|
||||
"sanitize-html": "^1.14.1",
|
||||
"text-encoding-utf-8": "^1.0.1",
|
||||
"velocity-vector": "vector-im/velocity#059e3b2",
|
||||
"whatwg-fetch": "^1.0.0"
|
||||
|
|
|
@ -87,7 +87,7 @@ var sanitizeHtmlParams = {
|
|||
// deliberately no h1/h2 to stop people shouting.
|
||||
'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
|
||||
'nl', 'li', 'b', 'i', 'u', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div',
|
||||
'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre'
|
||||
'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre', 'img',
|
||||
],
|
||||
allowedAttributes: {
|
||||
// custom ones first:
|
||||
|
@ -102,10 +102,10 @@ var sanitizeHtmlParams = {
|
|||
// URL schemes we permit
|
||||
allowedSchemes: ['http', 'https', 'ftp', 'mailto'],
|
||||
|
||||
// DO NOT USE. sanitize-html allows all URL starting with '//'
|
||||
// so this will always allow links to whatever scheme the
|
||||
// host page is served over.
|
||||
allowedSchemesByTag: {},
|
||||
allowedSchemesByTag: {
|
||||
img: [ 'data', 'mxc' ],
|
||||
},
|
||||
allowProtocolRelative: false,
|
||||
|
||||
transformTags: { // custom to matrix
|
||||
// add blank targets to all hyperlinks except vector URLs
|
||||
|
|
Loading…
Reference in a new issue