improve sanitization of img tags

- allow width, height, alt, title attributes in img (fixes element-hq/element-web#4646) - replace disallowed URL schemes with the alt or title attribute (fixes element-hq/element-web#4044) Signed-off-by: Hubert Chathi <hubert@uhoreg.ca>
uhoreg · Jul 24, 2017 · d05c92e · d05c92e
1 parent eb0575d
commit d05c92e
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/src/HtmlUtils.js b/src/HtmlUtils.js
@@ -145,7 +145,7 @@ const sanitizeHtmlParams = {
         font: ['color', 'data-mx-bg-color', 'data-mx-color', 'style'], // custom to matrix
         span: ['data-mx-bg-color', 'data-mx-color', 'style'], // custom to matrix
         a: ['href', 'name', 'target', 'rel'], // remote target: custom to matrix
-        img: ['src'],
+        img: ['src', 'width', 'height', 'alt', 'title'],
         ol: ['start'],
         code: ['class'], // We don't actually allow all classes, we filter them in transformTags
     },
@@ -191,7 +191,11 @@ const sanitizeHtmlParams = {
             // because transformTags is used _before_ we filter by allowedSchemesByTag and
             // we don't want to allow images with `https?` `src`s.
             if (!attribs.src.startsWith('mxc://')) {
-                return { tagName, attribs: {}};
+                if (attribs.title || attribs.alt) {
+                    return { tagName: 'span', text: attribs.title || attribs.alt, attribs: {} };
+                } else {
+                    return { tagName, attribs: {}};
+                }
             }
             attribs.src = MatrixClientPeg.get().mxcUrlToHttp(
                 attribs.src,