Explain why we disable caja uri checks on img::src

jupyter · Feb 24, 2016 · 33bafc7 · 33bafc7
1 parent 5deb4b6
commit 33bafc7
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/notebook/static/base/js/security.js b/notebook/static/base/js/security.js
@@ -31,9 +31,11 @@ define([
                 }
             }
         }
-        // TODO(julienr): This is a ugly hack to work around the fact that
-        // by default caja doesn't seem to like base64 src for inline markdown
-        // images. Not sure if we should do that here
+        // Caja doesn't allow data uri for img::src, see
+        // https://github.com/google/caja/issues/1558
+        // This is not a security issue for browser post ie6 though, so we
+        // disable the check
+        // https://www.owasp.org/index.php/Script_in_IMG_tags
         ATTRIBS['img::src'] = 0;
         return caja.sanitizeAttribs(tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger);
     };