web-ui/app/js/lib/html_whitelister.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

/*
 * Copyright (c) 2014 ThoughtWorks, Inc.
 *
 * Pixelated is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * Pixelated is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
 */
/*global _ */

'use strict';

define(['lib/html-sanitizer'], function (htmlSanitizer) {
  var tagAndAttributeWhitelist = {
    'p': ['style'],
    'div': ['style'],
    'a': ['href', 'style'],
    'span': ['style'],
    'font': ['face', 'size', 'style'],
    'img': ['title'],
    'em': [],
    'b': [],
    'strong': ['style'],
    'table': ['style'],
    'tr': ['style'],
    'td': ['style'],
    'th': ['style'],
    'tbody': ['style'],
    'thead': ['style'],
    'dt': ['style'],
    'dd': ['style'],
    'dl': ['style'],
    'h1': ['style'],
    'h2': ['style'],
    'h3': ['style'],
    'h4': ['style'],
    'h5': ['style'],
    'h6': ['style'],
    'br': [],
    'blockquote': ['style'],
    'label': ['style'],
    'form': ['style'],
    'ol': ['style'],
    'ul': ['style'],
    'li': ['style'],
    'input': ['style', 'type', 'name', 'value']
  };

  function filterAllowedAttributes (tagName, attributes) {
    var i, attributesAndValues = [];

    for (i = 0; i < attributes.length; i++) {
      if (tagAndAttributeWhitelist[tagName] &&
        _.contains(tagAndAttributeWhitelist[tagName], attributes[i])) {
        attributesAndValues.push(attributes[i]);
        attributesAndValues.push(attributes[i+1]);
      }
    }

    return attributesAndValues;
  }

  function tagPolicy (tagName, attributes) {
    if (!tagAndAttributeWhitelist[tagName]) {
      return null;
    }

    return {
      tagName: tagName,
      attribs: filterAllowedAttributes(tagName, attributes)
    };
  }

  return {
    tagPolicy: tagPolicy,
    sanitize: htmlSanitizer.html.sanitizeWithPolicy
  };
});