From ab5d8eba45ed65723aeacaf37d0248d9fb7a8068 Mon Sep 17 00:00:00 2001
From: slifszyc <sacha.lifszyc@gmail.com>
Date: Fri, 17 Jul 2015 16:13:13 -0300
Subject: [PATCH] [xss] - Add forceSafeImageURLs config variable. Close #980

---
 config/defaults.json           | 3 ++-
 lib/richtext/lib/xss-filter.js | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/config/defaults.json b/config/defaults.json
index 2c6f733953..7132a867c7 100644
--- a/config/defaults.json
+++ b/config/defaults.json
@@ -99,5 +99,6 @@
   "usersWhitelist": false,
   "multiForum": false,
   "feedsLimit": 10,
-  "tweetText": ""
+  "tweetText": "",
+  "forceSafeImageURLs": true
 }
diff --git a/lib/richtext/lib/xss-filter.js b/lib/richtext/lib/xss-filter.js
index 30a5d2af61..c88ae0bfcb 100644
--- a/lib/richtext/lib/xss-filter.js
+++ b/lib/richtext/lib/xss-filter.js
@@ -1,7 +1,7 @@
 var xss = require('xss');
 var deepMixIn = require('mout/object/deepMixIn');
 var videoUrlInspector = require('democracyos-video-url-inspector');
-
+var config = require('lib/config');
 
 module.exports = function xssFilter (opts) {
   var defaults = {
@@ -49,7 +49,7 @@ module.exports = function xssFilter (opts) {
       value = xss.safeAttrValue(tag, name, value, cssFilter);
 
       // Remove protocol from srcs, to force https when needed
-      if ('src' === name && 'string' === typeof value) {
+      if (config.forceSafeImageURLs && 'src' === name && 'string' === typeof value) {
         value = value.replace(/^https?:\/\//, '//');
       }