File tree Expand file tree Collapse file tree 2 files changed +17
-1
lines changed
app/code/Magento/Security/view/base/web/js
dev/tests/js/jasmine/tests/app/code/Magento/Security/view/base/web/js Expand file tree Collapse file tree 2 files changed +17
-1
lines changed Original file line number Diff line number Diff line change @@ -157,7 +157,8 @@ define([], function () {
157157 attribute = treeWalker . currentNode . attributes [ i ] ;
158158 nodeName = treeWalker . currentNode . nodeName . toLowerCase ( ) ;
159159
160- if ( this . generallyAllowedAttributes . indexOf ( attribute . name ) === - 1 || // eslint-disable-line max-depth,max-len
160+ if ( this . generallyAllowedAttributes . indexOf ( attribute . name ) === - 1 || // eslint-disable-line max-depth,max-len
161+ this . _checkHrefValue ( attribute ) ||
161162 this . forbiddenAttributesByElement [ nodeName ] &&
162163 this . forbiddenAttributesByElement [ nodeName ] . indexOf ( attribute . name ) !== - 1
163164 ) {
@@ -169,6 +170,16 @@ define([], function () {
169170 attributesToRemove . forEach ( function ( attributeToRemove ) {
170171 attributeToRemove . ownerElement . removeAttribute ( attributeToRemove . name ) ;
171172 } ) ;
173+ } ,
174+
175+ /**
176+ * Check that attribute contains script content
177+ *
178+ * @param {Object } attribute
179+ * @private
180+ */
181+ _checkHrefValue : function ( attribute ) {
182+ return attribute . nodeName === 'href' && attribute . nodeValue . startsWith ( 'javascript' ) ;
172183 }
173184 } ;
174185} ) ;
Original file line number Diff line number Diff line change @@ -131,6 +131,11 @@ define([
131131 data : '<spa>n id="id1">Some string</span>' ,
132132 expected : 'n id="id1">Some string' ,
133133 allowedTags : [ 'span' ]
134+ } ,
135+ 'link with script content' : {
136+ data : '<a href="javascript:void">Click</a>' ,
137+ expected : '<a>Click</a>' ,
138+ allowedTags : [ 'a' ]
134139 }
135140 } ;
136141 }
You can’t perform that action at this time.
0 commit comments