img src processed to empty

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist

http://jsxss.com

Other

5.21k stars 630 forks source link

img src processed to empty #280

Open wcnjeusr opened 1 year ago

wcnjeusr commented 1 year ago

<img src="test.png"> processed result is <img src>

Kolobok12309 commented 1 year ago

If you make path absolute <img src="/test.png"> or with protocol it worked <img src="http://example.com/text.png">

But it not worked for blobs for example <img src="blob:http://localhost:3000/396578e2-1e38-450a-a947-deb08d786d2d"> #264

wcnjeusr commented 1 year ago

use onTagAttr temporaryly solved this, example: onTagAttr: function(tag, name, value, isWhiteAttr) { if (tag === 'img' && name === 'src') { if (value.indexOf('"') === -1) { return${name}="${value}" } } }