XSS: Glob attributes data-*, aria-*

2015-01-06 13:00:36 -05:00 · 2015-01-06 13:00:36 -05:00 · 12f3161f50
parent 1c3a669279
commit 12f3161f50
2 changed files with 5 additions and 4 deletions
--- a/lib/xss.js
+++ b/lib/xss.js
@ -1,5 +1,7 @@
 var sanitizeHTML = require("sanitize-html");

+// These tags are allowed in addition to the defaults
+// See https://github.com/punkave/sanitize-html
 const ALLOWED_TAGS = [
    "button",
    "center",
@ -16,12 +18,11 @@ const ALLOWED_TAGS = [

 const ALLOWED_ATTRIBUTES = [
    "id",
-    "aria-hidden",
+    "aria-*",
    "border",
    "class",
    "color",
-    "data-dismiss",
-    "data-target",
+    "data-*",
    "height",
    "role",
    "style",
--- a/package.json
+++ b/package.json
@ -22,7 +22,7 @@
    "nodemailer": "^1.2.0",
    "oauth": "^0.9.12",
    "q": "^1.0.1",
-    "sanitize-html": "^1.4.3",
+    "sanitize-html": "git://github.com/calzoneman/sanitize-html#5022eb6c",
    "serve-static": "^1.5.3",
    "socket.io": "^1.2.1",
    "yamljs": "^0.1.5"