Ghost/core/client/utils/caja-sanitizers.js
Sebastian Gierlinger d895238571 Add XSS prevention
closes #3387
- added placeholder for <script> and <iframe>
- added google-caja sanitizer
- changed title in posts overview to ‚double-stash‘
2014-07-27 23:03:01 +02:00

29 lines
514 B
JavaScript

/**
* google-caja uses url() and id() to verify if the values are allowed.
*/
var url,
id;
/**
* Check if URL is allowed
* URLs are allowed if they start with http://, https://, or /.
*/
var url = function (url) {
url = url.toString().replace(/['"]+/g, '');
if (/^https?:\/\//.test(url) || /^\//.test(url)) {
return url;
}
};
/**
* Check if ID is allowed
* All ids are allowed at the moment.
*/
var id = function (id) {
return id;
};
export default {
url: url,
id: id
};