web/cryptpad
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add some notes for later

Browse Source
This commit is contained in:
ansuz
2017-03-07 14:40:06 +01:00
parent 9ad33574e9
commit 8a48612de2
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
www/pad/main.js
View File

@@ -164,6 +164,16 @@ define([
send scripts over the wire. send scripts over the wire.
*/ */
if (['addAttribute', 'modifyAttribute'].indexOf(info.diff.action) !== -1) { if (['addAttribute', 'modifyAttribute'].indexOf(info.diff.action) !== -1) {
if (info.diff.name === 'href') {
// console.log(info.diff);
var href = info.diff.newValue;
// TODO normalize HTML entities
if (/javascript *: */.test(info.diff.newValue)) {
// TODO remove javascript: links
}
}
if (/^on/.test(info.diff.name)) { if (/^on/.test(info.diff.name)) {
console.log("Rejecting forbidden element attribute with name (%s)", info.diff.name); console.log("Rejecting forbidden element attribute with name (%s)", info.diff.name);
return true; return true;