allow attribute id in div tag

only-dev-time · Mar 12, 2023 · b2a8e27 · b2a8e27
1 parent 531b163
commit b2a8e27
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/app/utils/SanitizeConfig.js b/src/app/utils/SanitizeConfig.js
@@ -98,7 +98,7 @@ export default ({
 
         // class attribute is strictly whitelisted (below)
         // and title is only set in the case of a phishing warning
-        div: ['class', 'title'],
+        div: ['class', 'title', 'id'],
 
         // style is subject to attack, filtering more below
         td: ['style'],
@@ -183,6 +183,10 @@ export default ({
                 attribs.title === getPhishingWarningMessage()
             )
                 attys.title = attribs.title;
+            // allow intern anchor with attribute 'id' - only if the 'id' begins with 'anchor'
+            if (attribs.id && attribs.id.indexOf('anchor') == 0) {
+                attys.id = attribs.id;
+            }
             return {
                 tagName,
                 attribs: attys,