Merge pull request #491 from matrix-org/dbkr/revert_333

Revert #333
2016-09-21 16:48:18 +01:00 · 2016-09-21 16:48:18 +01:00 · da88dc53ee
parent b83d1db24a 5fff3bdf24
commit da88dc53ee
1 changed files with 6 additions and 4 deletions
--- a/src/HtmlUtils.js
+++ b/src/HtmlUtils.js
@ -87,7 +87,7 @@ var sanitizeHtmlParams = {
        // deliberately no h1/h2 to stop people shouting.
        'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
        'nl', 'li', 'b', 'i', 'u', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div',
-        'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre', 'img',
+        'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre'
    ],
    allowedAttributes: {
        // custom ones first:
@ -101,9 +101,11 @@ var sanitizeHtmlParams = {
    selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ],
    // URL schemes we permit
    allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ],
-    allowedSchemesByTag: {
-        img: [ 'data' ],
-    },
+
+    // DO NOT USE. sanitize-html allows all URL starting with '//'
+    // so this will always allow links to whatever scheme the
+    // host page is served over.
+    allowedSchemesByTag: {},

    transformTags: { // custom to matrix
        // add blank targets to all hyperlinks except vector URLs