added support for src embedded image, ftp and relative urls

Those can't contain playloads. Reference to the issue #174
2020-02-09 00:24:43 +01:00
parent 53ba52a599
commit 07ac8b16c1
1 changed files with 5 additions and 0 deletions
--- a/lib/default.js
+++ b/lib/default.js
@@ -159,6 +159,11 @@ function safeAttrValue(tag, name, value, cssFilter) {
        value.substr(0, 8) === "https://" ||
        value.substr(0, 7) === "mailto:" ||
        value.substr(0, 4) === "tel:" ||
+        value.substr(0, 4) === "tel:" ||
+        value.substr(0, 11) === "data:image/" ||
+        value.substr(0, 6) === "ftp://" ||
+        value.substr(0, 2) === "./" ||
+        value.substr(0, 2) === "../" ||
        value[0] === "#" ||
        value[0] === "/"
      )