From 12f3161f50884d423bd6bf55ebdcce58c88bda99 Mon Sep 17 00:00:00 2001
From: Calvin Montgomery <calzoneman@gmail.com>
Date: Tue, 6 Jan 2015 13:00:36 -0500
Subject: [PATCH] XSS: Glob attributes data-*, aria-*

---
 lib/xss.js   | 7 ++++---
 package.json | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/xss.js b/lib/xss.js
index c6c0de2e..1ab08576 100644
--- a/lib/xss.js
+++ b/lib/xss.js
@@ -1,5 +1,7 @@
 var sanitizeHTML = require("sanitize-html");
 
+// These tags are allowed in addition to the defaults
+// See https://github.com/punkave/sanitize-html
 const ALLOWED_TAGS = [
     "button",
     "center",
@@ -16,12 +18,11 @@ const ALLOWED_TAGS = [
 
 const ALLOWED_ATTRIBUTES = [
     "id",
-    "aria-hidden",
+    "aria-*",
     "border",
     "class",
     "color",
-    "data-dismiss",
-    "data-target",
+    "data-*",
     "height",
     "role",
     "style",
diff --git a/package.json b/package.json
index c5399365..b39eec34 100644
--- a/package.json
+++ b/package.json
@@ -22,7 +22,7 @@
     "nodemailer": "^1.2.0",
     "oauth": "^0.9.12",
     "q": "^1.0.1",
-    "sanitize-html": "^1.4.3",
+    "sanitize-html": "git://github.com/calzoneman/sanitize-html#5022eb6c",
     "serve-static": "^1.5.3",
     "socket.io": "^1.2.1",
     "yamljs": "^0.1.5"