Sanitise for *, fix style issues
This commit is contained in:
parent
ae03244e6e
commit
886b0a3f13
1 changed files with 6 additions and 4 deletions
|
@ -141,7 +141,7 @@ var sanitizeHtmlParams = {
|
|||
attribs.rel = 'noopener'; // https://mathiasbynens.github.io/rel-noopener/
|
||||
return { tagName: tagName, attribs : attribs };
|
||||
},
|
||||
'font': function(tagName, attribs) {
|
||||
'*': function(tagName, attribs) {
|
||||
// Only allow certain CSS attributes to avoid XSS attacks
|
||||
// Sanitizing values to avoid `url(...)` and `expression(...)` attacks
|
||||
if (!attribs.style) {
|
||||
|
@ -152,7 +152,9 @@ var sanitizeHtmlParams = {
|
|||
let sanitisedStyle = "";
|
||||
for (let i = 0; i < pairs.length; i++) {
|
||||
const pair = pairs[i].split(':');
|
||||
if (!Object.keys(ALLOWED_CSS).includes(pair[0]) || !ALLOWED_CSS[pair[0]].test(pair[1])) {
|
||||
if (!Object.keys(ALLOWED_CSS).includes(pair[0]) ||
|
||||
!ALLOWED_CSS[pair[0]].test(pair[1])
|
||||
) {
|
||||
continue;
|
||||
}
|
||||
sanitisedStyle += pair[0] + ":" + pair[1] + ";";
|
||||
|
|
Loading…
Reference in a new issue