added tel number handling for links

2017-11-24 13:57:30 +01:00
parent 7bfd985575
commit 2728bb88f7
4 changed files with 4 additions and 1 deletions
--- a/dist/xss.js
+++ b/dist/xss.js
@@ -159,6 +159,7 @@ function safeAttrValue (tag, name, value, cssFilter) {
    if (!(value.substr(0, 7) === 'http://' ||
         value.substr(0, 8) === 'https://' ||
         value.substr(0, 7) === 'mailto:' ||
+         value.substr(0, 4) === 'tel:' ||
         value[0] === '#' ||
         value[0] === '/')) {
      return '';
--- a/dist/xss.min.js
+++ b/dist/xss.min.js
--- a/lib/default.js
+++ b/lib/default.js
@@ -158,6 +158,7 @@ function safeAttrValue (tag, name, value, cssFilter) {
    if (!(value.substr(0, 7) === 'http://' ||
         value.substr(0, 8) === 'https://' ||
         value.substr(0, 7) === 'mailto:' ||
+         value.substr(0, 4) === 'tel:' ||
         value[0] === '#' ||
         value[0] === '/')) {
      return '';
--- a/test/test_xss.js
+++ b/test/test_xss.js
@@ -209,6 +209,7 @@ describe('test XSS', function () {
    assert.equal(xss('<a href="http://aa.com">'), '<a href="http://aa.com">');
    assert.equal(xss('<a href="https://aa.com">'), '<a href="https://aa.com">');
    assert.equal(xss('<a href="mailto:me@ucdok.com">'), '<a href="mailto:me@ucdok.com">');
+    assert.equal(xss('<a href="tel:0123456789">'), '<a href="tel:0123456789">');
    assert.equal(xss('<a href="#hello">'), '<a href="#hello">');
    assert.equal(xss('<a href="other">'), '<a href>');