feat: Add <audio crossorigin muted>, `<video crossorigin muted play…

…sinline poster>` to default whitelist
leizongmin · May 6, 2021 · dcf1486 · dcf1486
1 parent f4c0b29
commit dcf1486
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,8 @@
 
 - [Fix whitespace bypass #218](https://github.com/leizongmin/js-xss/pull/218/files) by @TomAnthony
 - [Add `<summary>` to default whitelist #216](https://github.com/leizongmin/js-xss/pull/216) by @spacegaier
+- [Add `<figure>` and `<figcaption>` to default whitelist](https://github.com/leizongmin/js-xss/pull/220) by @daraz999
+- Add `<audio crossorigin muted>`, `<video crossorigin muted playsinline poster>` to default whitelist
 
 ## v1.0.8 (2020-07-27)
 

diff --git a/dist/xss.js b/dist/xss.js
@@ -17,7 +17,15 @@ function getDefaultWhiteList() {
     area: ["shape", "coords", "href", "alt"],
     article: [],
     aside: [],
-    audio: ["autoplay", "controls", "loop", "preload", "src"],
+    audio: [
+      "autoplay",
+      "controls",
+      "crossorigin",
+      "loop",
+      "muted",
+      "preload",
+      "src",
+    ],
     b: [],
     bdi: ["dir"],
     bdo: ["dir"],
@@ -37,6 +45,8 @@ function getDefaultWhiteList() {
     dl: [],
     dt: [],
     em: [],
+    figcaption: [],
+    figure: [],
     font: ["color", "size", "face"],
     footer: [],
     h1: [],
@@ -77,7 +87,11 @@ function getDefaultWhiteList() {
     video: [
       "autoplay",
       "controls",
+      "crossorigin",
       "loop",
+      "muted",
+      "playsinline",
+      "poster",
       "preload",
       "src",
       "height",