From de7ea41e62923186961069c83372e2525b42d707 Mon Sep 17 00:00:00 2001
From: Jason Woofenden <jason@jasonwoof.com>
Date: Sat, 12 Mar 2016 23:09:18 -0500
Subject: [PATCH] block bogus and javascripty attributes

---
 editor.coffee |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/editor.coffee b/editor.coffee
index efc218f..b78f6a0 100644
--- a/editor.coffee
+++ b/editor.coffee
@@ -19,6 +19,11 @@ overlay_padding = 10
 
 timeout = (ms, cb) -> return setTimeout cb, ms
 
+# xml 1.0 says:
+valid_attr_regex = new RegExp '^[a-zA-Z_:][-a-zA-Z0-9_:.]*$'
+# html5 spec is much more lax, but chromium won't let me make at attribute with the name "4"
+js_attr_regex = new RegExp '^[oO][nN].'
+
 debug_dot_at = (doc, x, y) ->
 	return # disabled
 	el = doc.createElement 'div'
@@ -301,7 +306,9 @@ instantiate_tree = (tree, parent) ->
 				c.el = parent.ownerDocument.createElement c.name
 				for k, v of c.attrs
 					# FIXME if attr_whitelist[k]?
-					c.el.setAttribute k, v
+					if valid_attr_regex.test k
+						unless js_attr_regex.test k
+							c.el.setAttribute k, v
 				parent.appendChild c.el
 				if c.children.length
 					instantiate_tree c.children, c.el
-- 
1.7.10.4