commit
c00ce26d57
13
lib/xss.js
13
lib/xss.js
|
@ -216,6 +216,13 @@ function sanitizeHTML(str) {
|
|||
continue;
|
||||
}
|
||||
for (var k in t.attributes) {
|
||||
// Keys should not contain non-word characters.
|
||||
var k2 = k.replace(/[^\w]/g, "");
|
||||
if (k2 !== k) {
|
||||
t.attributes[k2] = t.attributes[k];
|
||||
delete t.attributes[k];
|
||||
k = k2;
|
||||
}
|
||||
// If it's an evil attribute, just nuke it entirely
|
||||
if (k.match(badAttrs)) {
|
||||
delete t.attributes[k];
|
||||
|
@ -225,12 +232,6 @@ function sanitizeHTML(str) {
|
|||
t.attributes[k] = t.attributes[k].replace(badAttrValues, "[removed]");
|
||||
}
|
||||
|
||||
// Keys should not contain non-word characters.
|
||||
var k2 = k.replace(/[^\w]/g, "");
|
||||
if (k2 !== k) {
|
||||
t.attributes[k2] = t.attributes[k];
|
||||
delete t.attributes[k];
|
||||
}
|
||||
}
|
||||
}
|
||||
// Build the sanitized tag
|
||||
|
|
Loading…
Reference in a new issue