publish: v1.0.15

dist/xss.js

@@ -58,8 +58,9 @@ function getDefaultWhiteList() {
     header: [],
     hr: [],
     i: [],
-    img: ["src", "alt", "title", "width", "height"],
+    img: ["src", "alt", "title", "width", "height", "loading"],
     ins: ["datetime"],
+    kbd: [],
     li: [],
     mark: [],
     nav: [],
@@ -456,6 +457,7 @@ exports.onIgnoreTagStripAll = onIgnoreTagStripAll;
 exports.StripTagBody = StripTagBody;
 exports.stripCommentTag = stripCommentTag;
 exports.stripBlankChar = stripBlankChar;
+exports.attributeWrapSign = '"';
 exports.cssFilter = defaultCSSFilter;
 exports.getDefaultCSSWhiteList = getDefaultCSSWhiteList;
 
@@ -910,6 +912,8 @@ function FilterXSS(options) {
     options.whiteList = DEFAULT.whiteList;
   }
 
+  this.attributeWrapSign = options.singleQuotedAttributeValue === true ? "'" : DEFAULT.attributeWrapSign;
+
   options.onTag = options.onTag || DEFAULT.onTag;
   options.onTagAttr = options.onTagAttr || DEFAULT.onTagAttr;
   options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag;
@@ -947,6 +951,7 @@ FilterXSS.prototype.process = function (html) {
   var onIgnoreTagAttr = options.onIgnoreTagAttr;
   var safeAttrValue = options.safeAttrValue;
   var escapeHtml = options.escapeHtml;
+  var attributeWrapSign = me.attributeWrapSign;
   var cssFilter = me.cssFilter;
 
   // remove invisible characters
@@ -1000,7 +1005,7 @@ FilterXSS.prototype.process = function (html) {
             // call `safeAttrValue()`
             value = safeAttrValue(tag, name, value, cssFilter);
             if (value) {
-              return name + '="' + value + '"';
+              return name + '=' + attributeWrapSign + value + attributeWrapSign;
             } else {
               return name;
             }