feat: Add <audio crossorigin muted>, <video crossorigin muted playsinline poster> to default whitelist

2021-05-06 13:08:35 +08:00
parent f4c0b29c3f
commit dcf1486845
4 changed files with 31 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,8 @@

 - [Fix whitespace bypass #218](https://github.com/leizongmin/js-xss/pull/218/files) by @TomAnthony
 - [Add `<summary>` to default whitelist #216](https://github.com/leizongmin/js-xss/pull/216) by @spacegaier
+- [Add `<figure>` and `<figcaption>` to default whitelist](https://github.com/leizongmin/js-xss/pull/220) by @daraz999
+- Add `<audio crossorigin muted>`, `<video crossorigin muted playsinline poster>` to default whitelist

 ## v1.0.8 (2020-07-27)

--- a/dist/xss.js
+++ b/dist/xss.js
@@ -17,7 +17,15 @@ function getDefaultWhiteList() {
    area: ["shape", "coords", "href", "alt"],
    article: [],
    aside: [],
-    audio: ["autoplay", "controls", "loop", "preload", "src"],
+    audio: [
+      "autoplay",
+      "controls",
+      "crossorigin",
+      "loop",
+      "muted",
+      "preload",
+      "src",
+    ],
    b: [],
    bdi: ["dir"],
    bdo: ["dir"],
@@ -37,6 +45,8 @@ function getDefaultWhiteList() {
    dl: [],
    dt: [],
    em: [],
+    figcaption: [],
+    figure: [],
    font: ["color", "size", "face"],
    footer: [],
    h1: [],
@@ -77,7 +87,11 @@ function getDefaultWhiteList() {
    video: [
      "autoplay",
      "controls",
+      "crossorigin",
      "loop",
+      "muted",
+      "playsinline",
+      "poster",
      "preload",
      "src",
      "height",
--- a/dist/xss.min.js
+++ b/dist/xss.min.js
--- a/lib/default.js
+++ b/lib/default.js
@@ -16,7 +16,15 @@ function getDefaultWhiteList() {
    area: ["shape", "coords", "href", "alt"],
    article: [],
    aside: [],
-    audio: ["autoplay", "controls", "loop", "preload", "src"],
+    audio: [
+      "autoplay",
+      "controls",
+      "crossorigin",
+      "loop",
+      "muted",
+      "preload",
+      "src",
+    ],
    b: [],
    bdi: ["dir"],
    bdo: ["dir"],
@@ -78,7 +86,11 @@ function getDefaultWhiteList() {
    video: [
      "autoplay",
      "controls",
+      "crossorigin",
      "loop",
+      "muted",
+      "playsinline",
+      "poster",
      "preload",
      "src",
      "height",