moon
/
sync
mirror of https://github.com/calzoneman/sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

XSS: Glob attributes data-*, aria-*

This commit is contained in:
Calvin Montgomery 2015-01-06 13:00:36 -05:00
parent df42a5e6a6
commit 03f58a7d7a
2 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
lib/xss.js
View File

@ -1,5 +1,7 @@
var sanitizeHTML = require("sanitize-html"); var sanitizeHTML = require("sanitize-html");
// These tags are allowed in addition to the defaults
// See https://github.com/punkave/sanitize-html
const ALLOWED_TAGS = [ const ALLOWED_TAGS = [
"button", "button",
"center", "center",
@ -16,12 +18,11 @@ const ALLOWED_TAGS = [
const ALLOWED_ATTRIBUTES = [ const ALLOWED_ATTRIBUTES = [
"id", "id",
"aria-hidden", "aria-*",
"border", "border",
"class", "class",
"color", "color",
"data-dismiss", "data-*",
"data-target",
"height", "height",
"role", "role",
"style", "style",

2
package.json
View File

@ -22,7 +22,7 @@
"nodemailer": "^1.2.0", "nodemailer": "^1.2.0",
"oauth": "^0.9.12", "oauth": "^0.9.12",
"q": "^1.0.1", "q": "^1.0.1",
"sanitize-html": "^1.4.3", "sanitize-html": "git://github.com/calzoneman/sanitize-html#5022eb6c",
"serve-static": "^1.5.3", "serve-static": "^1.5.3",
"socket.io": "^1.1.0", "socket.io": "^1.1.0",
"yamljs": "^0.1.5" "yamljs": "^0.1.5"