Add comment

pull/21833/head
Luke Barnard 2017-07-10 17:48:01 +01:00
parent 6877b99435
commit dfa97e8452
1 changed files with 3 additions and 0 deletions

View File

@ -184,6 +184,9 @@ const sanitizeHtmlParams = {
return { tagName: tagName, attribs : attribs }; return { tagName: tagName, attribs : attribs };
}, },
'img': function(tagName, attribs) { 'img': function(tagName, attribs) {
// Strip out imgs that aren't `mxc` here instead of using allowedSchemesByTag
// because transformTags is used _before_ we filter by allowedSchemesByTag and
// we don't want to allow images with `https?` `src`s.
if (!attribs.src.startsWith('mxc://')) { if (!attribs.src.startsWith('mxc://')) {
return { tagName, attribs: {}}; return { tagName, attribs: {}};
} }