Merge pull request #1801 from umap-project/1796-add-purify-attributes

fix: allow `dir` and `title` attributes
2024-05-07 09:40:27 -04:00 · 2024-05-07 09:40:27 -04:00 · dcad0e1bb2
commit dcad0e1bb2
parent b450acf81d 5b9746066c
2 changed files with 8 additions and 1 deletions
--- a/umap/static/umap/js/modules/utils.js
+++ b/umap/static/umap/js/modules/utils.js
@ -88,7 +88,7 @@ export function escapeHTML(s) {
      'span',
    ],
    ADD_ATTR: ['target', 'allow', 'allowfullscreen', 'frameborder', 'scrolling'],
-    ALLOWED_ATTR: ['href', 'src', 'width', 'height', 'style'],
+    ALLOWED_ATTR: ['href', 'src', 'width', 'height', 'style', 'dir', 'title'],
    // Added: `geo:` URL scheme as defined in RFC5870:
    // https://www.rfc-editor.org/rfc/rfc5870.html
    // The base RegExp comes from:
--- a/umap/static/umap/unittests/utils.js
+++ b/umap/static/umap/unittests/utils.js
@ -185,6 +185,13 @@ describe('Utils', function () {
      assert.equal(Utils.escapeHTML('<a href="geo:1,2"></a>'), '<a href="geo:1,2"></a>')
    })

+    it('should not escape dir and title attributes', function () {
+      assert.equal(
+        Utils.escapeHTML('<a title="Title" dir="rtl"></a>'),
+        '<a dir="rtl" title="Title"></a>'
+      )
+    })
+
    it('should not fail with int value', function () {
      assert.equal(Utils.escapeHTML(25), '25')
    })