From d6fc888757f19d14d033747d022e3e045c459ad5 Mon Sep 17 00:00:00 2001
From: Menci <HuangHaoRui301@Gmail.com>
Date: Mon, 17 Apr 2017 00:41:00 +0800
Subject: [PATCH] Fix XSS with href or src

---
 utility.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/utility.js b/utility.js
index 1a29c44..4944f22 100644
--- a/utility.js
+++ b/utility.js
@@ -99,6 +99,14 @@ module.exports = {
         if ($(elem).attr('style')) {
           $(elem).attr('style', cssfilter.process($(elem).attr('style')));
         }
+
+        if ($(elem).attr('href') && $(elem).attr('href').startsWith('javascript:')) {
+          $(elem).attr('href', '');
+        }
+
+        if ($(elem).attr('src') && $(elem).attr('src').startsWith('javascript:')) {
+          $(elem).attr('src', '');
+        }
       });
       return $.html();
     };