4 * @class Roo.htmleditor.FilterAttributes
5 * clean attributes and styles including http:// etc.. in attribute
7 * Run a new Attribute Filter
8 * @param {Object} config Configuration options
10 Roo.htmleditor.FilterAttributes = function(cfg)
13 this.attrib_black = this.attrib_black || [];
14 this.attrib_white = this.attrib_white || [];
16 this.attrib_clean = this.attrib_clean || [];
17 this.style_white = this.style_white || [];
18 this.style_black = this.style_black || [];
22 Roo.extend(Roo.htmleditor.FilterAttributes, Roo.htmleditor.Filter,
24 tag: true, // all tags
26 attrib_black : false, // array
34 replaceTag : function(node)
36 if (!node.attributes || !node.attributes.length) {
40 for (var i = node.attributes.length-1; i > -1 ; i--) {
41 var a = node.attributes[i];
43 if (this.attrib_white.length && this.attrib_white.indexOf(a.name.toLowerCase()) < 0) {
44 node.removeAttribute(a.name);
50 if (a.name.toLowerCase().substr(0,2)=='on') {
51 node.removeAttribute(a.name);
56 if (this.attrib_black.indexOf(a.name.toLowerCase()) > -1) {
57 node.removeAttribute(a.name);
60 if (this.attrib_clean.indexOf(a.name.toLowerCase()) > -1) {
61 this.cleanAttr(node,a.name,a.value); // fixme..
64 if (a.name == 'style') {
65 this.cleanStyle(node,a.name,a.value);
68 /// clean up MS crap..
69 // tecnically this should be a list of valid class'es..
72 if (a.name == 'class') {
73 if (a.value.match(/^Mso/)) {
74 node.removeAttribute('class');
77 if (a.value.match(/^body$/)) {
78 node.removeAttribute('class');
88 return true; // clean children
91 cleanAttr: function(node, n,v)
94 if (v.match(/^\./) || v.match(/^\//)) {
97 if (v.match(/^(http|https):\/\//)
98 || v.match(/^mailto:/)
107 if (v.match(/^\{/)) { // allow template editing.
110 // Roo.log("(REMOVE TAG)"+ node.tagName +'.' + n + '=' + v);
111 node.removeAttribute(n);
114 cleanStyle : function(node, n,v)
116 if (v.match(/expression/)) { //XSS?? should we even bother..
117 node.removeAttribute(n);
121 var parts = v.split(/;/);
124 Roo.each(parts, function(p) {
125 p = p.replace(/^\s+/g,'').replace(/\s+$/g,'');
129 var l = p.split(':').shift().replace(/\s+/g,'');
130 l = l.replace(/^\s+/g,'').replace(/\s+$/g,'');
132 if ( this.style_black.length && (this.style_black.indexOf(l) > -1 || this.style_black.indexOf(l.toLowerCase()) > -1)) {
136 // only allow 'c whitelisted system attributes'
137 if ( this.style_white.length && style_white.indexOf(l) < 0 && style_white.indexOf(l.toLowerCase()) < 0 ) {
146 node.setAttribute(n, clean.join(';'));
148 node.removeAttribute(n);