fix regex misinterpreting tag name in badly formed HTML, prevent rich
content from ever using dangerous tags
This commit is contained in:
parent
22c3012e1c
commit
00b47e1673
@ -149,7 +149,9 @@ export default {
|
||||
// Handle tag nodes
|
||||
if (Array.isArray(item)) {
|
||||
const [opener, children, closer] = item
|
||||
const Tag = getTagName(opener)
|
||||
let Tag = getTagName(opener)
|
||||
if (Tag === 'script') Tag = 'js-exploit'
|
||||
if (Tag === 'style') Tag = 'css-exploit'
|
||||
const fullAttrs = getAttrs(opener, () => true)
|
||||
const attrs = getAttrs(opener)
|
||||
const previouslyMentions = currentMentions !== null
|
||||
|
@ -5,7 +5,7 @@
|
||||
* @return {String} - tagname, i.e. "div"
|
||||
*/
|
||||
export const getTagName = (tag) => {
|
||||
const result = /(?:<\/(\w+)>|<(\w+)\s?.*?\/?>)/gi.exec(tag)
|
||||
const result = /(?:<\/(\w+)>|<(\w+)\s?.*?\/?>)/gis.exec(tag)
|
||||
return result && (result[1] || result[2])
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user