From dc5fbbf7eb725216311f9712d9e61166574920bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Thu, 28 Jun 2018 15:26:27 +0200
Subject: [PATCH] Do not prefix href of select2 with unsafe to avoid #504
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 js/app/Config.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/js/app/Config.js b/js/app/Config.js
index bcc1391c8..6420facd5 100644
--- a/js/app/Config.js
+++ b/js/app/Config.js
@@ -33,6 +33,9 @@ app.config(function ($provide, $interpolateProvider, $httpProvider, $urlRouterPr
 
 
 	$compileProvider.debugInfoEnabled(true);
+	// This should fix adding "unsafe:" prefix to ui-select href links containing javascript
+	// inline JS is blocked by CSP anyway and filtered out by our markdown renderer as well
+	$compileProvider.aHrefSanitizationWhitelist(/^\s*(https?|javascript):/);
 
 	markdownItConverterProvider.use(markdownitLinkTarget, {
 		breaks: true,