Revert https://github.com/matrix-org/matrix-react-sdk/pull/333/files since sanitizer blindly allows urls with no scheme, meaning  // links can be used to fetch images over whatever scheme you serve vector over (ie. normally http/https).
pull/21833/head
David Baker 2016-09-21 16:19:41 +01:00
parent b83d1db24a
commit 8ae210cbe2
1 changed files with 2 additions and 4 deletions

View File

@ -87,7 +87,7 @@ var sanitizeHtmlParams = {
// deliberately no h1/h2 to stop people shouting.
'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
'nl', 'li', 'b', 'i', 'u', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div',
'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre', 'img',
'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre'
],
allowedAttributes: {
// custom ones first:
@ -101,9 +101,7 @@ var sanitizeHtmlParams = {
selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ],
// URL schemes we permit
allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ],
allowedSchemesByTag: {
img: [ 'data' ],
},
allowedSchemesByTag: {},
transformTags: { // custom to matrix
// add blank targets to all hyperlinks except vector URLs