Explicitly blacklist unsafe elements, starting with <script>

Are there are any other elements that might be considered unsafe?
Jermolene · Mar 19, 2014 · ba6edd4 · ba6edd4
1 parent 925b3d2
commit ba6edd4
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/core/modules/config.js b/core/modules/config.js
@@ -37,4 +37,6 @@ exports.htmlVoidElements = "area,base,br,col,command,embed,hr,img,input,keygen,l
 
 exports.htmlBlockElements = "address,article,aside,audio,blockquote,canvas,dd,div,dl,fieldset,figcaption,figure,footer,form,h1,h2,h3,h4,h5,h6,header,hgroup,hr,li,noscript,ol,output,p,pre,section,table,tfoot,ul,video".split(",");
 
+exports.htmlUnsafeElements = "script".split(",");
+
 })();
diff --git a/core/modules/widgets/element.js b/core/modules/widgets/element.js
@@ -30,7 +30,12 @@ ElementWidget.prototype.render = function(parent,nextSibling) {
 	this.parentDomNode = parent;
 	this.computeAttributes();
 	this.execute();
-	var domNode = this.document.createElementNS(this.namespace,this.parseTreeNode.tag);
+	// Neuter blacklisted elements
+	var tag = this.parseTreeNode.tag;
+	if($tw.config.htmlUnsafeElements.indexOf(tag) !== -1) {
+		tag = "safe-" + tag;
+	}
+	var domNode = this.document.createElementNS(this.namespace,tag);
 	this.assignAttributes(domNode,{excludeEventAttributes: true});
 	parent.insertBefore(domNode,nextSibling);
 	this.renderChildren(domNode,null);