Skip to content
Permalink
Browse files

omit anchors with XSS href via a whitelist in convertToSVG

  • Loading branch information...
etpinard committed Dec 10, 2015
1 parent 92a9850 commit d5885957f72e21a25782dc28e2028ffe8debf5ef
Showing with 10 additions and 1 deletion.
  1. +10 −1 src/lib/svg_text_utils.js
@@ -221,6 +221,8 @@ var TAG_STYLES = {
em: 'font-style:italic;font-weight:bold'
};

var PROTOCOLS = ['http:', 'https:', 'mailto'];

var STRIP_TAGS = new RegExp('</?(' + Object.keys(TAG_STYLES).join('|') + ')( [^>]*)?/?>', 'g');

util.plainText = function(_str){
@@ -252,7 +254,14 @@ function convertToSVG(_str){
if(tag === 'a'){
if(close) return '</a>';
else if(extra.substr(0,4).toLowerCase() !== 'href') return '<a>';
else return '<a xlink:show="new" xlink:href' + extra.substr(4) + '>';
else {
var dummyAnchor = document.createElement('a');
dummyAnchor.href = extra.split('href=')[1].replace(/["']/g, '');

if(PROTOCOLS.indexOf(dummyAnchor.protocol) === -1) return '<a>';

return '<a xlink:show="new" xlink:href' + extra.substr(4) + '>';
}
}
else if(tag === 'br') return '<br>';
else if(close) {

0 comments on commit d588595

Please sign in to comment.
You can’t perform that action at this time.