diff options
author | ache <ache@ache.one> | 2018-05-19 01:27:07 +0200 |
---|---|---|
committer | ache <ache@ache.one> | 2018-05-19 01:27:07 +0200 |
commit | f7cef8a98a53d064b3373e71d916c7add645d868 (patch) | |
tree | 2a8dc27b3593cdde5d65f8c22676083e36f55fee | |
parent | Configuration specification in the README (diff) |
Fix dangerous DOM event handlers
-rw-r--r-- | index.js | 14 |
1 files changed, 10 insertions, 4 deletions
@@ -112,11 +112,15 @@ function filterAttributes(prop, config, type) { let inScope = _ => false; switch (scope) { - case 'none': + case 'none': // Plugin is disabled break; case 'permissive': case 'every': - inScope = _ => true; + if (allowDangerousDOMEventHandlers) { + inScope = _ => true; + } else { + inScope = x => !isDangerous(x); + } break; case 'extented': inScope = p => extend[type].indexOf(p) >= 0; @@ -127,10 +131,12 @@ function filterAttributes(prop, config, type) { case 'global': default: inScope = p => (inScope(p) || htmlElemAttr['*'].indexOf(p) >= 0); + if (allowDangerousDOMEventHandlers) { // If allowed add dangerous attributes to global scope + inScope = p => (inScope(p) || isDangerous(p)); + } } - /* If the attribut is dangerous and not allowed and not explicitly allowed or not in the scope, delete it */ - const filterFunction = x => (isDangerous(x) && !allowDangerousDOMEventHandlers && !inScope(x)) || !inScope; + const filterFunction = x => !inScope(x); Object.getOwnPropertyNames(prop).forEach(p => { if (filterFunction(p)) { |