From 9f4d2c7ffb9fad3a47f7f67a63fc1e134ed592bc Mon Sep 17 00:00:00 2001 From: Xaekai Date: Thu, 7 Jul 2016 04:52:03 -0700 Subject: [PATCH] Add some various harmless tags to the XSS whitelist sub, sup: Closes #579 cite, small: Bootstrap uses these for blockquotes template: Will allow for cleaner channel scripts. Since it's contents are inert it will also allow channel admins to have "comments" in their banner. --- package.json | 2 +- src/xss.js | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 838072bd..3f39dbaa 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "author": "Calvin Montgomery", "name": "CyTube", "description": "Online media synchronizer and chat", - "version": "3.17.5", + "version": "3.18.1", "repository": { "url": "http://github.com/calzoneman/sync" }, diff --git a/src/xss.js b/src/xss.js index 5c3fe3c8..a6385f2b 100644 --- a/src/xss.js +++ b/src/xss.js @@ -5,6 +5,7 @@ var sanitizeHTML = require("sanitize-html"); const ALLOWED_TAGS = [ "button", "center", + "cite" "details", "font", "h1", @@ -13,8 +14,12 @@ const ALLOWED_TAGS = [ "marquee", // It pains me to do this, but a lot of people use it... "s", "section", + "small", "span", - "summary" + "sub", + "summary", + "sup", + "template" ]; const ALLOWED_ATTRIBUTES = [