From: Jason Woofenden <jason@jasonwoof.com>
Date: Sun, 13 Mar 2016 04:09:18 +0000 (-0500)
Subject: block bogus and javascripty attributes
X-Git-Url: https://jasonwoof.com/gitweb/?p=peach-html5-editor.git;a=commitdiff_plain;h=de7ea41e62923186961069c83372e2525b42d707

block bogus and javascripty attributes
---

diff --git a/editor.coffee b/editor.coffee
index efc218f..b78f6a0 100644
--- a/editor.coffee
+++ b/editor.coffee
@@ -19,6 +19,11 @@ overlay_padding = 10
 
 timeout = (ms, cb) -> return setTimeout cb, ms
 
+# xml 1.0 says:
+valid_attr_regex = new RegExp '^[a-zA-Z_:][-a-zA-Z0-9_:.]*$'
+# html5 spec is much more lax, but chromium won't let me make at attribute with the name "4"
+js_attr_regex = new RegExp '^[oO][nN].'
+
 debug_dot_at = (doc, x, y) ->
 	return # disabled
 	el = doc.createElement 'div'
@@ -301,7 +306,9 @@ instantiate_tree = (tree, parent) ->
 				c.el = parent.ownerDocument.createElement c.name
 				for k, v of c.attrs
 					# FIXME if attr_whitelist[k]?
-					c.el.setAttribute k, v
+					if valid_attr_regex.test k
+						unless js_attr_regex.test k
+							c.el.setAttribute k, v
 				parent.appendChild c.el
 				if c.children.length
 					instantiate_tree c.children, c.el