Blacklist for LINK and a few more tags

ampproject · Dec 10, 2015 · d60a81c · d60a81c
1 parent 3b050ea
commit d60a81c
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/src/sanitizer.js b/src/sanitizer.js
@@ -17,13 +17,28 @@
 import {htmlSanitizer} from '../third_party/caja/html-sanitizer';
 
 
-/** @const {!Object<string, boolean>} */
+/**
+ * @const {!Object<string, boolean>}
+ * See https://github.com/ampproject/amphtml/blob/master/spec/amp-html-format.md
+ */
 const BLACKLISTED_TAGS = {
+  'applet': true,
+  'audio': true,
+  'base': true,
+  'embed': true,
+  'form': true,
+  'frame': true,
+  'frameset': true,
   'iframe': true,
   'img': true,
+  'input': true,
+  'link': true,
+  'meta': true,
+  'object': true,
   'script': true,
   'style': true,
   'template': true,
+  'video': true,
 };
 
 

diff --git a/test/functional/test-sanitizer.js b/test/functional/test-sanitizer.js
@@ -43,6 +43,13 @@ describe('sanitizeHtml', () => {
     expect(sanitizeHtml('a<img>c')).to.be.equal('ac');
     expect(sanitizeHtml('a<iframe></iframe>c')).to.be.equal('ac');
     expect(sanitizeHtml('a<template></template>c')).to.be.equal('ac');
+    expect(sanitizeHtml('a<frame></frame>c')).to.be.equal('ac');
+    expect(sanitizeHtml('a<video></video>c')).to.be.equal('ac');
+    expect(sanitizeHtml('a<audio></audio>c')).to.be.equal('ac');
+    expect(sanitizeHtml('a<applet></applet>c')).to.be.equal('ac');
+    expect(sanitizeHtml('a<form></form>c')).to.be.equal('ac');
+    expect(sanitizeHtml('a<link></link>c')).to.be.equal('ac');
+    expect(sanitizeHtml('a<meta></meta>c')).to.be.equal('ac');
   });
 
   it('should NOT output security-sensitive markup when nested', () => {