diff options
| author | Igor Minar | 2011-10-20 09:43:00 -0700 |
|---|---|---|
| committer | Igor Minar | 2011-10-20 09:44:52 -0700 |
| commit | fabc9f77a3fae10c2b8d9a9ad1541e827cc0390d (patch) | |
| tree | 1baa4300c6abaecb0420e3f7cc9dfc5c24ae6e1f | |
| parent | c17c731fdc9c5d00cc606df19c9b36d51e41a8d7 (diff) | |
| download | angular.js-fabc9f77a3fae10c2b8d9a9ad1541e827cc0390d.tar.bz2 | |
feat(sanitizer): add html5 elements to the whitelist
Closes #89
| -rw-r--r-- | src/sanitizer.js | 48 |
1 files changed, 31 insertions, 17 deletions
diff --git a/src/sanitizer.js b/src/sanitizer.js index eb8ed344..207b1039 100644 --- a/src/sanitizer.js +++ b/src/sanitizer.js @@ -27,25 +27,39 @@ var START_TAG_REGEXP = /^<\s*([\w:-]+)((?:\s+[\w:-]+(?:\s*=\s*(?:(?:"[^"]*")|(?: URI_REGEXP = /^((ftp|https?):\/\/|mailto:|#)/, NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g; // Match everything outside of normal chars and " (quote character) -// Empty Elements - HTML 4.01 -var emptyElements = makeMap("area,br,col,hr,img"); - -// Block Elements - HTML 4.01 -var blockElements = makeMap("address,blockquote,center,dd,del,dir,div,dl,dt,"+ - "hr,ins,li,map,menu,ol,p,pre,script,table,tbody,td,tfoot,th,thead,tr,ul"); - -// Inline Elements - HTML 4.01 -var inlineElements = makeMap("a,abbr,acronym,b,bdo,big,br,cite,code,del,dfn,em,font,i,img,"+ - "ins,kbd,label,map,q,s,samp,small,span,strike,strong,sub,sup,tt,u,var"); -// Elements that you can, intentionally, leave open -// (and which close themselves) -var closeSelfElements = makeMap("colgroup,dd,dt,li,p,td,tfoot,th,thead,tr"); + +// Good source of info about elements and attributes +// http://dev.w3.org/html5/spec/Overview.html#semantics +// http://simon.html5.org/html-elements + +// Safe Void Elements - HTML5 +// http://dev.w3.org/html5/spec/Overview.html#void-elements +var voidElements = makeMap("area,br,col,hr,img,wbr"); + +// Elements that you can, intentionally, leave open (and which close themselves) +// http://dev.w3.org/html5/spec/Overview.html#optional-tags +var optionalEndTagBlockElements = makeMap("colgroup,dd,dt,li,p,tbody,td,tfoot,th,thead,tr"), + optionalEndTagInlineElements = makeMap("rp,rt"), + optionalEndTagElements = extend({}, optionalEndTagInlineElements, optionalEndTagBlockElements); + +// Safe Block Elements - HTML5 +var blockElements = extend({}, optionalEndTagBlockElements, makeMap("address,article,aside," + + "blockquote,caption,center,del,dir,div,dl,figure,figcaption,footer,h1,h2,h3,h4,h5,h6," + + "header,hgroup,hr,ins,map,menu,nav,ol,pre,script,section,table,ul")); + +// Inline Elements - HTML5 +var inlineElements = extend({}, optionalEndTagInlineElements, makeMap("a,abbr,acronym,b,bdi,bdo," + + "big,br,cite,code,del,dfn,em,font,i,img,ins,kbd,label,map,mark,q,ruby,rp,rt,s,samp,small," + + "span,strike,strong,sub,sup,time,tt,u,var")); + + // Special Elements (can contain anything) var specialElements = makeMap("script,style"); -var validElements = extend({}, emptyElements, blockElements, inlineElements, closeSelfElements); + +var validElements = extend({}, voidElements, blockElements, inlineElements, optionalEndTagElements); //Attributes that have href and hence need to be sanitized -var uriAttrs = makeMap("background,href,longdesc,src,usemap"); +var uriAttrs = makeMap("background,cite,href,longdesc,src,usemap"); var validAttrs = extend({}, uriAttrs, makeMap( 'abbr,align,alt,axis,bgcolor,border,cellpadding,cellspacing,class,clear,'+ 'color,cols,colspan,compact,coords,dir,face,headers,height,hreflang,hspace,'+ @@ -146,11 +160,11 @@ function htmlParser( html, handler ) { } } - if ( closeSelfElements[ tagName ] && stack.last() == tagName ) { + if ( optionalEndTagElements[ tagName ] && stack.last() == tagName ) { parseEndTag( "", tagName ); } - unary = emptyElements[ tagName ] || !!unary; + unary = voidElements[ tagName ] || !!unary; if ( !unary ) stack.push( tagName ); |