Add <figure> and <figcaption> to default whitelist

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist

http://jsxss.com

Other

5.19k stars 630 forks source link

Add <figure> and <figcaption> to default whitelist #220

Closed daraz999 closed 3 years ago

daraz999 commented 3 years ago

Figure https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figure
Figcaption https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figcaption

Most RSS feeds are using these tags to wrap around media content. I propose to add these tags to the default whitelist because they don't require any attribute and do not open any XSS vulnerability

leizongmin commented 3 years ago

I have published a new version xss@1.0.9 including the following changes:

Fix whitespace bypass #218 by @TomAnthony
Add <summary> to default whitelist #216 by @spacegaier
Add <figure> and <figcaption> to default whitelist by @daraz999
Add <audio crossorigin muted>, <video crossorigin muted playsinline poster> to default whitelist
Add <strike> to default whitelist
Fix: typings IWhiteList allow any tag name
Fix: typings onTag options