Bootstrap 3.4.1 sanitizer: allow progress-bar inside a popover
Bootstrap 3.4.1 and 4.3.1 now comes with a sanitizer to perform XSS prevention.
I'm trying to allow all the necessary attributes to render a progress bar inside the popover of an AdminLTE based on bootstrap 3.4.1.
With .popover({sanitize: false}); everything works as expected:
With a custom sanitizer whitelist, as specified on the bootstrap docs, the progress bar is't displayed:
This is the custom whitelist:
var myDefaultWhiteList = $.fn.popover.Constructor.DEFAULTS.whiteList;
myDefaultWhiteList.div = ['role', 'aria-valuenow', 'aria-valuemin', 'aria-valuemax'];
myDefaultWhiteList.span = ['class'];
myDefaultWhiteList.table = ['class'];
myDefaultWhiteList.tbody = [];
myDefaultWhiteList.tr = [];
myDefaultWhiteList.td = ['colspan'];
console.log(myDefaultWhiteList);
$(function () {
$('[data-toggle="popover"]').popover({
whiteList: myDefaultWhiteList
});
});
And this is the content of my popover:
<div class="progress progress-sm active">
<div class="progress-bar progress-bar-success progress-bar-striped" role="progressbar"
aria-valuenow="6" aria-valuemin="0"
aria-valuemax="10"
style="width: 60%">
<span class="sr-only">6/10</span>
</div>
</div>
<div class="no-padding">
<table class="table table-condensed therapy-popover-table">
<tbody>
<tr>
<td>Protocollo N°</td>
<td>837-2019PC</td>
</tr>
<tr>
<td>Codice prescrizione</td>
<td>93xxxx1</td>
</tr>
<tr>
<td>Prescrizione</td>
<td><small>IDROCHINESITERAPIA INDIVIDUALE (9xxxx1) (30')</small></td>
</tr>
<tr>
<td>Data evento lesivo</td>
<td>10/09/2019</td>
</tr>
<tr>
<td>Data prescrizione</td>
<td>10/09/2019</td>
</tr>
<tr>
<td>Priorità</td>
<td>Breve</td>
</tr>
<tr>
<td>Tipo prestazione</td>
<td>Privato</td>
</tr>
<tr>
<td colspan="2"><a href="/prescription/update/2602"><i class="fa fa-share-square"></i> Vai alla prescrizione</a></td>
</tr>
</tbody>
</table>
</div>
Does anyone experienced a problem with bootstrap sanitizer and custom whitelist? In my, everything works (tables, colspan attributes, etc...) except the progress bar...
Solution
I forgot the style attribute.
So the right role is:
myDefaultWhiteList.div = ['style'];
because 'role', 'aria-valuenow', 'aria-valuemin', 'aria-valuemax' are already defined in the default whitelist.
- beforeunload workaround using preventDefault to do a GET request
- Is it possible to get Icecast metadata from HTML5 audio element?
- Fetch Response.json Bad Escape Character Error
- LeetCode - 23. Merge k Sorted Lists algo issue
- Proper way in JavaScript to compare two DOM elements and remove duplicates created by appendChild in loop?
- ionic - `slot` attributes are deprecated - eslint-plugin-vue
- Deploy/update file without functions in it - Firebase Functions
- Get all non-unique values (i.e.: duplicate/more than one occurrence) in an array
- Jquery slider attach with Mouse event
- Replace a Regex capture group with uppercase in Javascript
- Javascript - Remove Special characters and associated strings in Json object
- Profiling Javascript JIT in Firefox
- logStringMessage function inside Firefox extension
- using Prompt to add a value to function
- Possible to add code blocks to <textarea> tags, without using libraries?
- What's the most straightforward way to copy an ArrayBuffer object?
- How to add prefix to input?
- JavaScript Date set not working as expected
- webRTC: How to detect audio/video presence in Stream?
- How do I make HTML code using typescript?
- How to update bootstrap popover text?
- Define a web component inside another web component without polluting global namespace
- TypeError: Class extends value undefined is not a constructor or null (svelte redis)
- Disable every non checked checkbox
- Codility - min average slice
- JavaScript new Date() returning server time offset in Blazor Server app
- Top-level ‘await’ expressions are only allowed when the ‘module’ option is set to ‘esnext'
- Firestore Security Rules: Getting all docs with field-specific "where"-query
- Determining origin of cookie which javascript or tracking pixel
- Show only half of SVG