Sanitise for *, fix style issues

This commit is contained in:
Luke Barnard 2017-02-27 11:23:37 +00:00
parent ae03244e6e
commit 886b0a3f13

View file

@ -141,7 +141,7 @@ var sanitizeHtmlParams = {
attribs.rel = 'noopener'; // https://mathiasbynens.github.io/rel-noopener/
return { tagName: tagName, attribs : attribs };
},
'font': function(tagName, attribs) {
'*': function(tagName, attribs) {
// Only allow certain CSS attributes to avoid XSS attacks
// Sanitizing values to avoid `url(...)` and `expression(...)` attacks
if (!attribs.style) {
@ -152,7 +152,9 @@ var sanitizeHtmlParams = {
let sanitisedStyle = "";
for (let i = 0; i < pairs.length; i++) {
const pair = pairs[i].split(':');
if (!Object.keys(ALLOWED_CSS).includes(pair[0]) || !ALLOWED_CSS[pair[0]].test(pair[1])) {
if (!Object.keys(ALLOWED_CSS).includes(pair[0]) ||
!ALLOWED_CSS[pair[0]].test(pair[1])
) {
continue;
}
sanitisedStyle += pair[0] + ":" + pair[1] + ";";