Ghost/ghost/admin/app/utils/caja-sanitizers.js

/**
 * google-caja uses url() and id() to verify if the values are allowed.
 */

/**
 * Check if URL is allowed
 * URLs are allowed if they start with http://, https://, or /.
 * NOTE: # urls are not allowed as clicking them will break the editor when clicked
 */
let allowedUrl = function (url) {
    url = url.toString().replace(/['"]+/g, '');
    if (/^https?:\/\//.test(url) || /^\//.test(url)) {
        return url;
    }
};

/**
 * Check if ID is allowed
 * All ids are allowed at the moment.
 */
let allowedId = function (id) {
    return id;
};

export default {
    url: allowedUrl,
    id: allowedId
};
Add XSS prevention closes #3387 - added placeholder for <script> and <iframe> - added google-caja sanitizer - changed title in posts overview to ‚double-stash‘ 2014-07-25 14:42:42 +04:00			`/**`
			`* google-caja uses url() and id() to verify if the values are allowed.`
			`*/`
Fixed multiple no-shadow linting errors 2020-06-17 11:35:46 +03:00
Add XSS prevention closes #3387 - added placeholder for <script> and <iframe> - added google-caja sanitizer - changed title in posts overview to ‚double-stash‘ 2014-07-25 14:42:42 +04:00			`/**`
			`* Check if URL is allowed`
			`* URLs are allowed if they start with http://, https://, or /.`
✨ use markdown-it for markdown previews (#690) ✨ use markdown-it for markdown previews no issue - replaces SimpleMDE's default `marked` rendering with `markdown-it` - add ember-browserify and markdown-it plugins 2017-05-15 19:51:19 +03:00			`* NOTE: # urls are not allowed as clicking them will break the editor when clicked`
Add XSS prevention closes #3387 - added placeholder for <script> and <iframe> - added google-caja sanitizer - changed title in posts overview to ‚double-stash‘ 2014-07-25 14:42:42 +04:00			`*/`
Fixed multiple no-shadow linting errors 2020-06-17 11:35:46 +03:00			`let allowedUrl = function (url) {`
Enable JSCS checking on client. Refs #4001 - grunt-jscs@0.8.1 which provides ES6 support. 2014-10-25 01:09:50 +04:00			`url = url.toString().replace(/['"]+/g, '');`
Add XSS prevention closes #3387 - added placeholder for <script> and <iframe> - added google-caja sanitizer - changed title in posts overview to ‚double-stash‘ 2014-07-25 14:42:42 +04:00			`if (/^https?:\/\//.test(url) \|\| /^\//.test(url)) {`
			`return url;`
			`}`
			`};`

			`/**`
			`* Check if ID is allowed`
			`* All ids are allowed at the moment.`
			`*/`
Fixed multiple no-shadow linting errors 2020-06-17 11:35:46 +03:00			`let allowedId = function (id) {`
Add XSS prevention closes #3387 - added placeholder for <script> and <iframe> - added google-caja sanitizer - changed title in posts overview to ‚double-stash‘ 2014-07-25 14:42:42 +04:00			`return id;`
			`};`

			`export default {`
Fixed multiple no-shadow linting errors 2020-06-17 11:35:46 +03:00			`url: allowedUrl,`
			`id: allowedId`
Enable JSCS checking on client. Refs #4001 - grunt-jscs@0.8.1 which provides ES6 support. 2014-10-25 01:09:50 +04:00			`};`