From d60a81c434eae05627c5d9c8f504a5b175aa87cf Mon Sep 17 00:00:00 2001 From: Dima Voytenko Date: Thu, 10 Dec 2015 13:43:27 -0800 Subject: [PATCH] Blacklist for LINK and a few more tags --- src/sanitizer.js | 17 ++++++++++++++++- test/functional/test-sanitizer.js | 7 +++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/src/sanitizer.js b/src/sanitizer.js index 4af4a6717c5f..a030a6a316dc 100644 --- a/src/sanitizer.js +++ b/src/sanitizer.js @@ -17,13 +17,28 @@ import {htmlSanitizer} from '../third_party/caja/html-sanitizer'; -/** @const {!Object} */ +/** + * @const {!Object} + * See https://github.com/ampproject/amphtml/blob/master/spec/amp-html-format.md + */ const BLACKLISTED_TAGS = { + 'applet': true, + 'audio': true, + 'base': true, + 'embed': true, + 'form': true, + 'frame': true, + 'frameset': true, 'iframe': true, 'img': true, + 'input': true, + 'link': true, + 'meta': true, + 'object': true, 'script': true, 'style': true, 'template': true, + 'video': true, }; diff --git a/test/functional/test-sanitizer.js b/test/functional/test-sanitizer.js index 3e8cc5d819ed..b18759350af8 100644 --- a/test/functional/test-sanitizer.js +++ b/test/functional/test-sanitizer.js @@ -43,6 +43,13 @@ describe('sanitizeHtml', () => { expect(sanitizeHtml('ac')).to.be.equal('ac'); expect(sanitizeHtml('ac')).to.be.equal('ac'); expect(sanitizeHtml('ac')).to.be.equal('ac'); + expect(sanitizeHtml('ac')).to.be.equal('ac'); + expect(sanitizeHtml('ac')).to.be.equal('ac'); + expect(sanitizeHtml('ac')).to.be.equal('ac'); + expect(sanitizeHtml('ac')).to.be.equal('ac'); + expect(sanitizeHtml('a
c')).to.be.equal('ac'); + expect(sanitizeHtml('ac')).to.be.equal('ac'); + expect(sanitizeHtml('ac')).to.be.equal('ac'); }); it('should NOT output security-sensitive markup when nested', () => {