应用实例：允许标签以data-开头的属性

2014-02-13 16:46:37 +08:00
parent 5c46660e43
commit 0c27ec8163
2 changed files with 45 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -188,7 +188,25 @@ function safeAttrValue (tag, name, value) {
 ### 允许标签以data-开头的属性

 ```JavaScript
-// 待续
+var source = '<div a="1" b="2" data-a="3" data-b="4">hello</div>';
+var html = xss(source, {
+  onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
+    if (name.substr(0, 5) === 'data-') {
+      // 通过内置的escapeAttrValue函数来对属性值进行转义
+      return name + '="' + xss.escapeAttrValue(value) + '"';
+    }
+  }
+});
+
+console.log('%s\nconvert to:\n%s', source, html);
+```
+
+运行结果：
+
+```
+<div a="1" b="2" data-a="3" data-b="4">hello</div>
+convert to:
+<div data-a="3" data-b="4">hello</div>
 ```

 ### 允许名称以x开头的标签
--- a/example/allows_attr_prefix.js
+++ b/example/allows_attr_prefix.js
@@ -0,0 +1,26 @@
+/**
+ * 应用实例：允许标签以data-开头的属性
+ *
+ * @author 老雷<leizongmin@gmail.com>
+ */
+
+var xss = require('../');
+
+var source = '<div a="1" b="2" data-a="3" data-b="4">hello</div>';
+var html = xss(source, {
+  onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
+    if (name.substr(0, 5) === 'data-') {
+      // 通过内置的escapeAttrValue函数来对属性值进行转义
+      return name + '="' + xss.escapeAttrValue(value) + '"';
+    }
+  }
+});
+
+console.log('%s\nconvert to:\n%s', source, html);
+
+/*
+运行结果：
+<div a="1" b="2" data-a="3" data-b="4">hello</div>
+convert to:
+<div data-a="3" data-b="4">hello</div>
+*/