Add comment

This commit is contained in:
Luke Barnard 2017-07-10 17:48:01 +01:00
parent 6877b99435
commit dfa97e8452

View file

@ -184,6 +184,9 @@ const sanitizeHtmlParams = {
return { tagName: tagName, attribs : attribs };
},
'img': function(tagName, attribs) {
// Strip out imgs that aren't `mxc` here instead of using allowedSchemesByTag
// because transformTags is used _before_ we filter by allowedSchemesByTag and
// we don't want to allow images with `https?` `src`s.
if (!attribs.src.startsWith('mxc://')) {
return { tagName, attribs: {}};
}