block bogus and javascripty attributes

author Jason Woofenden <jason@jasonwoof.com>

Sun, 13 Mar 2016 04:09:18 +0000 (23:09 -0500)

committer Jason Woofenden <jason@jasonwoof.com>

Sun, 13 Mar 2016 04:09:18 +0000 (23:09 -0500)
author Jason Woofenden <jason@jasonwoof.com>
Sun, 13 Mar 2016 04:09:18 +0000 (23:09 -0500)
committer Jason Woofenden <jason@jasonwoof.com>
Sun, 13 Mar 2016 04:09:18 +0000 (23:09 -0500)
diff --git a/editor.coffee b/editor.coffee

index efc218f..b78f6a0 100644 (file)
--- a/editor.coffee
+++ b/editor.coffee
@@ -19,6 +19,11 @@ overlay_padding = 10
  
  timeout = (ms, cb) -> return setTimeout cb, ms
  
+# xml 1.0 says:
+valid_attr_regex = new RegExp '^[a-zA-Z_:][-a-zA-Z0-9_:.]*$'
+# html5 spec is much more lax, but chromium won't let me make at attribute with the name "4"
+js_attr_regex = new RegExp '^[oO][nN].'
+
  debug_dot_at = (doc, x, y) ->
         return # disabled
         el = doc.createElement 'div'
@@ -301,7 +306,9 @@ instantiate_tree = (tree, parent) ->
                                 c.el = parent.ownerDocument.createElement c.name
                                 for k, v of c.attrs
                                         # FIXME if attr_whitelist[k]?
-                                       c.el.setAttribute k, v
+                                       if valid_attr_regex.test k
+                                               unless js_attr_regex.test k
+                                                       c.el.setAttribute k, v
                                 parent.appendChild c.el
                                 if c.children.length
                                         instantiate_tree c.children, c.el
author	Jason Woofenden <jason@jasonwoof.com>
	Sun, 13 Mar 2016 04:09:18 +0000 (23:09 -0500)
committer	Jason Woofenden <jason@jasonwoof.com>
	Sun, 13 Mar 2016 04:09:18 +0000 (23:09 -0500)