Permalink
Browse files

Several fixes after great feedback from twitter ++

  • Loading branch information...
eoftedal committed Nov 8, 2012
1 parent 55fcc6d commit 6d2bec410bf2c339bfad3bf483f126be7e2074a6
Showing with 9 additions and 2 deletions.
  1. +9 −2 lib/helmet.js
View
@@ -37,6 +37,8 @@ var helmet = {
if (node.nodeValue.indexOf(tag.key) > -1) {
if (helmet.isScriptTag(node.nodeName) || helmet.isScriptTag(node.parentNode.nodeName)) {
tag.func = helmet.checkJS(node.nodeValue, tag);
+ } else if (helmet.isStyle(node.nodeName) || helmet.isStyle(node.parentNode.nodeName)) {
+ tag.func = null; //unsafe
} else {
tag.func = "escapeHtml";
}
@@ -49,6 +51,8 @@ var helmet = {
if (attr.nodeValue.indexOf(tag.key) > -1) {
if (helmet.isUri(attr.nodeName)) {
tag.func = "escapeUri";
+ } else if (helmet.isStyle(attr.nodeName)) {
+ tag.func = null; //unsafe
} else if (helmet.isEventHandler(attr.nodeName)) {
tag.func = helmet.checkJS(attr.nodeValue, tag);
} else {
@@ -98,7 +102,7 @@ var helmet = {
return result.join("");
},
"escapeUri" : function(data) {
- return window.encodeURIComponent(data);
+ return helmet.escapeHtmlAttribute(window.encodeURIComponent(data));
},
"unsafe" : function(data) {
return "unsafe-location";
@@ -110,7 +114,10 @@ var helmet = {
return (/^on.*$/i).test(name);
},
"isUri": function(name) {
- return (/(href|src)/i).test(name);
+ return (/(href|src|formaction)/i).test(name);
+ },
+ "isStyle": function(name) {
+ return (/style/i).test(name);
},
"isScriptTag" : function(name) {
return (/script/i).test(name);

0 comments on commit 6d2bec4

Please sign in to comment.