2012-09-19 20:32:42 +08:00
|
|
|
|
[](http://travis-ci.org/leizongmin/js-xss)
|
|
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
XSS代码过滤
|
2012-09-18 07:05:07 -07:00
|
|
|
|
======
|
|
|
|
|
|
|
2013-12-11 18:07:50 +08:00
|
|
|
|
|
|
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
**注意:0.1.x版本与0.0.x版本在自定义配置(除白名单配置外)格式上有较大改动,如果
|
|
|
|
|
|
要使用新版本,请详细阅读下文的使用说明**
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## 特性
|
|
|
|
|
|
|
|
|
|
|
|
+ 白名单控制允许的HTML标签及各标签的属性
|
|
|
|
|
|
+ 通过自定义处理函数,可对任意标签及其属性进行处理
|
|
|
|
|
|
|
2013-12-24 12:48:56 +08:00
|
|
|
|
|
|
|
|
|
|
## 参考资料
|
|
|
|
|
|
|
2013-12-24 13:48:20 +08:00
|
|
|
|
+ [XSS与字符编码的那些事儿 ---科普文](http://drops.wooyun.org/tips/689)
|
|
|
|
|
|
+ [腾讯实例教程:那些年我们一起学XSS](http://www.wooyun.org/whitehats/%E5%BF%83%E4%BC%A4%E7%9A%84%E7%98%A6%E5%AD%90)
|
|
|
|
|
|
+ [XSS Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
|
|
|
|
|
|
+ [Data URI scheme](http://en.wikipedia.org/wiki/Data_URI_scheme)
|
|
|
|
|
|
+ [XSS with Data URI Scheme](http://hi.baidu.com/badzzzz/item/bdbafe83144619c199255f7b)
|
2013-12-24 12:48:56 +08:00
|
|
|
|
|
|
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
## 使用
|
2012-09-18 23:31:45 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
### 在Node.js中使用
|
2012-09-18 23:31:45 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
安装:
|
2012-09-18 23:31:45 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
```bash
|
|
|
|
|
|
$ npm install xss
|
|
|
|
|
|
```
|
2012-09-19 13:13:56 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
简单使用方法:
|
2012-09-19 13:13:56 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
```JavaScript
|
|
|
|
|
|
var xss = require('xss');
|
|
|
|
|
|
var html = xss('<script>alert("xss");</script>');
|
|
|
|
|
|
console.log(html);
|
|
|
|
|
|
```
|
2012-09-18 23:31:45 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
### 在浏览器端使用
|
2012-09-19 20:10:50 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
```HTML
|
|
|
|
|
|
<script src="https://raw.github.com/leizongmin/js-xss/master/build/xss.js"></script>
|
|
|
|
|
|
<script>
|
|
|
|
|
|
// 使用函数名 filterXSS,用法一样
|
|
|
|
|
|
var html = filterXSS('<script>alert("xss");</scr' + 'ipt>');
|
|
|
|
|
|
alert(html);
|
|
|
|
|
|
</script>
|
2012-09-18 23:31:45 +08:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
## 自定义过滤规则
|
|
|
|
|
|
|
|
|
|
|
|
在调用 `xss()` 函数进行过滤时,可通过第二个参数来设置自定义规则:
|
|
|
|
|
|
|
|
|
|
|
|
```JavaScript
|
|
|
|
|
|
options = {}; // 自定义规则
|
|
|
|
|
|
html = xss('<script>alert("xss");</script>', options);
|
2012-09-19 20:10:50 +08:00
|
|
|
|
```
|
2012-09-19 13:13:56 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
具体用法详见下文。
|
|
|
|
|
|
|
|
|
|
|
|
### 白名单
|
|
|
|
|
|
|
|
|
|
|
|
通过 `whiteList` 来指定,格式为:`{'标签名': ['属性1', '属性2']}`。不在白名单中
|
|
|
|
|
|
的标签将被过滤,不在白名单中的属性也会被过滤。以下是示例:
|
|
|
|
|
|
|
|
|
|
|
|
```JavaScript
|
|
|
|
|
|
// 只允许a标签,该标签只允许href, title, target这三个属性
|
|
|
|
|
|
var options = {
|
|
|
|
|
|
whiteList: {
|
|
|
|
|
|
a: ['href', 'title', 'target']
|
2012-09-20 08:33:29 +08:00
|
|
|
|
}
|
2012-09-19 20:10:50 +08:00
|
|
|
|
};
|
2014-02-12 13:27:30 +08:00
|
|
|
|
// 使用以上配置后,下面的HTML
|
|
|
|
|
|
// <a href="#" onclick="hello()"><i>大家好</i></a>
|
|
|
|
|
|
// 将被过滤为
|
|
|
|
|
|
// <a href="#">大家好</a>
|
|
|
|
|
|
```
|
2012-09-19 13:13:56 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
默认白名单参考 `xss.whiteList`。
|
|
|
|
|
|
|
|
|
|
|
|
### 自定义匹配到标签时的处理方法
|
|
|
|
|
|
|
|
|
|
|
|
通过 `onTag` 来指定相应的处理函数。以下是详细说明:
|
|
|
|
|
|
|
|
|
|
|
|
```JavaScript
|
|
|
|
|
|
function onTag (tag, html, options) {
|
|
|
|
|
|
// tag是当前的标签名称,比如<a>标签,则tag的值是'a'
|
|
|
|
|
|
// html是该标签的HTML,比如<a>标签,则html的值是'<a>'
|
|
|
|
|
|
// options是一些附加的信息,具体如下:
|
|
|
|
|
|
// isWhite boolean类型,表示该标签是否在白名单中
|
|
|
|
|
|
// isClosing boolean类型,表示该标签是否为闭合标签,比如</a>时为true
|
|
|
|
|
|
// position integer类型,表示当前标签在输出的结果中的起始位置
|
|
|
|
|
|
// originPosition integer类型,表示当前标签在原HTML中的起始位置
|
|
|
|
|
|
// 如果返回一个字符串,则当前标签将被替换为该字符串
|
2014-02-13 14:00:05 +08:00
|
|
|
|
// 如果不返回任何值,则使用默认的处理方法:
|
|
|
|
|
|
// 在白名单中: 通过onTagAttr来过滤属性,详见下文
|
|
|
|
|
|
// 不在白名单中:通过onIgnoreTag指定,详见下文
|
2012-09-19 13:13:56 +08:00
|
|
|
|
}
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
### 自定义匹配到标签的属性时的处理方法
|
2012-09-19 13:13:56 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
通过 `onTagAttr` 来指定相应的处理函数。以下是详细说明:
|
|
|
|
|
|
|
|
|
|
|
|
```JavaScript
|
2014-02-13 14:00:05 +08:00
|
|
|
|
function onTagAttr (tag, name, value) {
|
2014-02-12 13:27:30 +08:00
|
|
|
|
// tag是当前的标签名称,比如<a>标签,则tag的值是'a'
|
|
|
|
|
|
// name是当前属性的名称,比如href="#",则name的值是'href'
|
|
|
|
|
|
// value是当前属性的值,比如href="#",则value的值是'#'
|
|
|
|
|
|
// 如果返回一个字符串,则当前属性值将被替换为该字符串
|
2014-02-13 14:00:05 +08:00
|
|
|
|
// 如果不返回任何值,则使用默认的处理方法
|
|
|
|
|
|
// 在白名单中: 输出该属性
|
|
|
|
|
|
// 不在白名单中:通过onIgnoreTagAttr指定,详见下文
|
2014-02-12 13:27:30 +08:00
|
|
|
|
}
|
2012-09-19 13:13:56 +08:00
|
|
|
|
```
|
|
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
### 自定义匹配到不在白名单中的标签时的处理方法
|
|
|
|
|
|
|
|
|
|
|
|
通过 `onIgnoreTag` 来指定相应的处理函数。以下是详细说明:
|
2013-04-19 16:36:49 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
```JavaScript
|
|
|
|
|
|
function onIgnoreTag (tag, html, options) {
|
|
|
|
|
|
// 参数说明与onTag相同
|
|
|
|
|
|
// 如果返回一个字符串,则当前标签将被替换为该字符串
|
|
|
|
|
|
// 如果不返回任何值,则使用默认的处理方法(通过escape指定,详见下文)
|
|
|
|
|
|
}
|
2013-04-19 16:36:49 +08:00
|
|
|
|
```
|
2014-02-12 13:27:30 +08:00
|
|
|
|
|
|
|
|
|
|
### 自定义匹配到不在白名单中的属性时的处理方法
|
|
|
|
|
|
|
|
|
|
|
|
通过 `onIgnoreTagAttr` 来指定相应的处理函数。以下是详细说明:
|
|
|
|
|
|
|
|
|
|
|
|
```JavaScript
|
2014-02-13 14:00:05 +08:00
|
|
|
|
function onIgnoreTagAttr (tag, name, value) {
|
2014-02-12 13:27:30 +08:00
|
|
|
|
// 参数说明与onTagAttr相同
|
|
|
|
|
|
// 如果返回一个字符串,则当前属性值将被替换为该字符串
|
2014-02-13 14:00:05 +08:00
|
|
|
|
// 如果不返回任何值,则使用默认的处理方法(删除该属)
|
2014-02-12 13:27:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
### 自定义HTML转义函数
|
|
|
|
|
|
|
2014-02-13 14:00:05 +08:00
|
|
|
|
通过 `escapeHtml` 来指定相应的处理函数。以下是默认代码 **(不建议修改)** :
|
2014-02-12 13:27:30 +08:00
|
|
|
|
|
|
|
|
|
|
```JavaScript
|
2014-02-13 14:00:05 +08:00
|
|
|
|
function escapeHtml (html) {
|
2014-02-12 13:27:30 +08:00
|
|
|
|
return html.replace(/</g, '<').replace(/>/g, '>');
|
|
|
|
|
|
}
|
2013-04-19 16:36:49 +08:00
|
|
|
|
```
|
|
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
### 自定义标签属性值的转义函数
|
2013-04-19 16:36:49 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
通过 `safeAttrValue` 来指定相应的处理函数。以下是详细说明:
|
2012-09-20 20:55:42 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
```JavaScript
|
|
|
|
|
|
function safeAttrValue (tag, attr, value) {
|
|
|
|
|
|
// 参数说明与onTagAttr相同(没有options参数)
|
|
|
|
|
|
// 返回一个字符串表示该属性值
|
|
|
|
|
|
}
|
|
|
|
|
|
```
|
2012-09-19 20:10:50 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
### 快捷配置
|
2012-09-18 23:31:45 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
#### stripIgnoreTag
|
2012-09-19 20:10:50 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
是否去掉不在白名单只的标签:
|
2012-09-19 20:10:50 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
+ `true`:(默认),去掉不在白名单中的标签
|
|
|
|
|
|
+ `false`:使用配置的`escape`函数对该标签进行转义
|
2012-09-19 13:13:56 +08:00
|
|
|
|
|
2012-09-18 23:31:45 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
## 应用实例
|
2012-09-18 23:31:45 +08:00
|
|
|
|
|
2014-02-12 13:31:41 +08:00
|
|
|
|
### 去掉<script>标签及标签体内的JS代码
|
|
|
|
|
|
|
|
|
|
|
|
```JavaScript
|
|
|
|
|
|
// 待续
|
|
|
|
|
|
```
|
2012-09-19 11:33:14 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
### 允许标签以data-开头的属性
|
2012-09-19 11:33:14 +08:00
|
|
|
|
|
2014-02-12 13:31:41 +08:00
|
|
|
|
```JavaScript
|
|
|
|
|
|
// 待续
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2014-02-13 14:58:36 +08:00
|
|
|
|
### 允许名称以x开头的标签
|
2014-02-13 14:00:05 +08:00
|
|
|
|
|
|
|
|
|
|
```JavaScript
|
|
|
|
|
|
// 待续
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
### 分析HTML代码中的图片列表
|
2012-09-19 11:33:14 +08:00
|
|
|
|
|
2014-02-12 13:31:41 +08:00
|
|
|
|
```JavaScript
|
|
|
|
|
|
// 待续
|
|
|
|
|
|
```
|
2012-09-19 11:33:14 +08:00
|
|
|
|
|
2012-09-18 23:31:45 +08:00
|
|
|
|
|
2014-02-12 13:27:30 +08:00
|
|
|
|
## MIT协议
|
2012-09-18 23:31:45 +08:00
|
|
|
|
|
|
|
|
|
|
```
|
2013-12-24 12:48:56 +08:00
|
|
|
|
Copyright (c) 2012-2014 Zongmin Lei(雷宗民) <leizongmin@gmail.com>
|
2012-09-18 23:31:45 +08:00
|
|
|
|
http://ucdok.com
|
|
|
|
|
|
|
|
|
|
|
|
The MIT License
|
|
|
|
|
|
|
|
|
|
|
|
Permission is hereby granted, free of charge, to any person obtaining
|
|
|
|
|
|
a copy of this software and associated documentation files (the
|
|
|
|
|
|
"Software"), to deal in the Software without restriction, including
|
|
|
|
|
|
without limitation the rights to use, copy, modify, merge, publish,
|
|
|
|
|
|
distribute, sublicense, and/or sell copies of the Software, and to
|
|
|
|
|
|
permit persons to whom the Software is furnished to do so, subject to
|
|
|
|
|
|
the following conditions:
|
|
|
|
|
|
|
|
|
|
|
|
The above copyright notice and this permission notice shall be
|
|
|
|
|
|
included in all copies or substantial portions of the Software.
|
|
|
|
|
|
|
|
|
|
|
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
|
|
|
|
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
|
|
|
|
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
|
|
|
|
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
|
|
|
|
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
|
|
|
|
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
|
|
|
|
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
|
|
|
|
```
|
