mirrors/TiddlyWiki5
1
0
Fork 0
mirror of https://github.com/Jermolene/TiddlyWiki5 synced 2024-06-25 23:03:15 +00:00
Code Issues Releases Wiki Activity

Explicitly blacklist unsafe elements, starting with <script>

Browse Source 
Are there are any other elements that might be considered unsafe?
This commit is contained in:
Jermolene 2014-03-19 10:05:44 +00:00
parent 925b3d2a5b
commit ba6edd42c1
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/modules/config.js
View File

@ -37,4 +37,6 @@ exports.htmlVoidElements = "area,base,br,col,command,embed,hr,img,input,keygen,l
exports.htmlBlockElements = "address,article,aside,audio,blockquote,canvas,dd,div,dl,fieldset,figcaption,figure,footer,form,h1,h2,h3,h4,h5,h6,header,hgroup,hr,li,noscript,ol,output,p,pre,section,table,tfoot,ul,video".split(",");
exports.htmlUnsafeElements = "script".split(",");
})();

7
core/modules/widgets/element.js
View File

@ -30,7 +30,12 @@ ElementWidget.prototype.render = function(parent,nextSibling) {
this.parentDomNode = parent;
this.computeAttributes();
this.execute();
var domNode = this.document.createElementNS(this.namespace,this.parseTreeNode.tag);
// Neuter blacklisted elements
var tag = this.parseTreeNode.tag;
if($tw.config.htmlUnsafeElements.indexOf(tag) !== -1) {
tag = "safe-" + tag;
}
var domNode = this.document.createElementNS(this.namespace,tag);
this.assignAttributes(domNode,{excludeEventAttributes: true});
parent.insertBefore(domNode,nextSibling);
this.renderChildren(domNode,null);