Update filter XSS to allow attr href starts with '.' or '/'

jackycute · jackycute · commit f6a995143d4e · 2016-04-20T18:18:52.000+08:00
diff --git a/public/js/render.js b/public/js/render.js
@@ -14,6 +14,12 @@ var filterXSSOptions = {
             return html;
         }
     },
+    onTagAttr: function (tag, name, value, isWhiteAttr) {
+        // allow href starts with '.' or '/'
+        if (isWhiteAttr && name === 'href' && (value.indexOf('.') == 0 || value.indexOf('/') == 0)) {
+            return name + '="' + filterXSS.escapeAttrValue(value) + '"';
+        }
+    },
     onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
         // allow attr start with 'data-' or in the whiteListAttr
         if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) {
