leizongmin/js-xss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修正 issue #41 href默认允许#开头

Browse Source
This commit is contained in:
Zongmin Lei
2015-12-01 22:11:03 +08:00
parent 8df84a1995
commit ac93b2ef4b
2 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dist/xss.min.js vendored
View File

File diff suppressed because one or more lines are too long

3
lib/default.js
View File

@@ -150,12 +150,13 @@ function safeAttrValue (tag, name, value, cssFilter) {
if (name === 'href' || name === 'src') {
// 过滤 href 和 src 属性
// 仅允许 http:// | https:// | mailto: | / 开头的地址
// 仅允许 http:// | https:// | mailto: | / | # 开头的地址
value = _.trim(value);
if (value === '#') return '#';
if (!(value.substr(0, 7) === 'http://' ||
value.substr(0, 8) === 'https://' ||
value.substr(0, 7) === 'mailto:' ||
value[0] === '#' ||
value[0] === '/')) {
return '';
}