parser: sanitize HTML: allow 'disabled', 'start', 'type' and 'checked' attributes

This makes check box lists like the following snipped work:

- [X] Done
- [ ] not done

Further allow the start attr, sometimes generated for ordered lists.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/src/Parser.js b/src/Parser.js
index a5e9337101caca66d55337ec33d5ee3277142a24..17d176cd79eea52f580245cbb9bd6a221e0a44b6 100644 (file)
--- a/src/Parser.js
+++ b/src/Parser.js
@@ -20,7 +20,7 @@ Ext.define('Proxmox.Markdown', {
            for (let i=node.attributes.length; i--;) {
                const name = node.attributes[i].name;
                // TODO: we may want to also disallow class and id attrs
-               if (!/^(class|id|name|href|src|alt|align|valign)$/i.test(name)) {
+               if (!/^(class|id|name|href|src|alt|align|valign|disabled|checked|start|type)$/i.test(name)) {
                    node.attributes.removeNamedItem(name);
                }
            }