去掉 iframe 的白名单，防止xss

源码模式下：`<iframe src="javascript::alert(1)"></iframe>`
fex-team · Sep 18, 2017 · 66711ec · 66711ec
1 parent 43a1c94
commit 66711ec
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/umeditor.config.js b/umeditor.config.js
@@ -295,7 +295,7 @@ etpl.config({
 			header: ['style', 'class', 'id'],
 			hr:     ['style', 'class', 'id'],
 			i:      ['style', 'class', 'id'],
-            iframe: ['style', 'class', 'id', 'src', 'frameborder', 'data-latex'],
+//             iframe: ['style', 'class', 'id', 'src', 'frameborder', 'data-latex'],
 			img:    ['src', 'alt', 'title', 'width', 'height', 'style', 'class', 'id', '_url'],
 			ins:    ['datetime', 'style', 'class', 'id'],
 			li:     ['style', 'class', 'id'],