js-xss/lib/xss.js

/**
 * filter xss
 *
 * @author Zongmin Lei<leizongmin@gmail.com>
 */

var FilterCSS = require("cssfilter").FilterCSS;
var DEFAULT = require("./default");
var parser = require("./parser");
var parseTag = parser.parseTag;
var parseAttr = parser.parseAttr;
var _ = require("./util");

/**
 * returns `true` if the input value is `undefined` or `null`
 *
 * @param {Object} obj
 * @return {Boolean}
 */
function isNull(obj) {
  return obj === undefined || obj === null;
}

/**
 * get attributes for a tag
 *
 * @param {String} html
 * @return {Object}
 *   - {String} html
 *   - {Boolean} closing
 */
function getAttrs(html) {
  var i = _.spaceIndex(html);
  if (i === -1) {
    return {
      html: "",
      closing: html[html.length - 2] === "/",
    };
  }
  html = _.trim(html.slice(i + 1, -1));
  var isClosing = html[html.length - 1] === "/";
  if (isClosing) html = _.trim(html.slice(0, -1));
  return {
    html: html,
    closing: isClosing,
  };
}

/**
 * shallow copy
 *
 * @param {Object} obj
 * @return {Object}
 */
function shallowCopyObject(obj) {
  var ret = {};
  for (var i in obj) {
    ret[i] = obj[i];
  }
  return ret;
}

/**
 * FilterXSS class
 *
 * @param {Object} options
 *        whiteList (or allowList), onTag, onTagAttr, onIgnoreTag,
 *        onIgnoreTagAttr, safeAttrValue, escapeHtml
 *        stripIgnoreTagBody, allowCommentTag, stripBlankChar
 *        css{whiteList, onAttr, onIgnoreAttr} `css=false` means don't use `cssfilter`
 */
function FilterXSS(options) {
  options = shallowCopyObject(options || {});

  if (options.stripIgnoreTag) {
    if (options.onIgnoreTag) {
      console.error(
        'Notes: cannot use these two options "stripIgnoreTag" and "onIgnoreTag" at the same time'
      );
    }
    options.onIgnoreTag = DEFAULT.onIgnoreTagStripAll;
  }

  options.whiteList = options.whiteList || options.allowList || DEFAULT.whiteList;
  options.onTag = options.onTag || DEFAULT.onTag;
  options.onTagAttr = options.onTagAttr || DEFAULT.onTagAttr;
  options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag;
  options.onIgnoreTagAttr = options.onIgnoreTagAttr || DEFAULT.onIgnoreTagAttr;
  options.safeAttrValue = options.safeAttrValue || DEFAULT.safeAttrValue;
  options.escapeHtml = options.escapeHtml || (options.allowCommentTag ? DEFAULT.escapeHtmlNotComment : DEFAULT.escapeHtml);
  this.options = options;

  if (options.css === false) {
    this.cssFilter = false;
  } else {
    options.css = options.css || {};
    this.cssFilter = new FilterCSS(options.css);
  }
}

/**
 * start process and returns result
 *
 * @param {String} html
 * @return {String}
 */
FilterXSS.prototype.process = function (html) {
  // compatible with the input
  html = html || "";
  html = html.toString();
  if (!html) return "";

  var me = this;
  var options = me.options;
  var whiteList = options.whiteList;
  var onTag = options.onTag;
  var onIgnoreTag = options.onIgnoreTag;
  var onTagAttr = options.onTagAttr;
  var onIgnoreTagAttr = options.onIgnoreTagAttr;
  var safeAttrValue = options.safeAttrValue;
  var escapeHtml = options.escapeHtml;
  var cssFilter = me.cssFilter;

  // remove invisible characters
  if (options.stripBlankChar) {
    html = DEFAULT.stripBlankChar(html);
  }

  // remove html comments
  if (!options.allowCommentTag) {
    html = DEFAULT.stripCommentTag(html);
  }

  // if enable stripIgnoreTagBody
  var stripIgnoreTagBody = false;
  if (options.stripIgnoreTagBody) {
    stripIgnoreTagBody = DEFAULT.StripTagBody(
      options.stripIgnoreTagBody,
      onIgnoreTag
    );
    onIgnoreTag = stripIgnoreTagBody.onIgnoreTag;
  }

  var retHtml = parseTag(
    html,
    function (sourcePosition, position, tag, html, isClosing) {
      var info = {
        sourcePosition: sourcePosition,
        position: position,
        isClosing: isClosing,
        isWhite: Object.prototype.hasOwnProperty.call(whiteList, tag),
      };

      // call `onTag()`
      var ret = onTag(tag, html, info);
      if (!isNull(ret)) return ret;

      if (info.isWhite) {
        if (info.isClosing) {
          return "</" + tag + ">";
        }

        var attrs = getAttrs(html);
        var whiteAttrList = whiteList[tag];
        var attrsHtml = parseAttr(attrs.html, function (name, value) {
          // call `onTagAttr()`
          var isWhiteAttr = _.indexOf(whiteAttrList, name) !== -1;
          var ret = onTagAttr(tag, name, value, isWhiteAttr);
          if (!isNull(ret)) return ret;

          if (isWhiteAttr) {
            // call `safeAttrValue()`
            value = safeAttrValue(tag, name, value, cssFilter);
            if (value) {
              return name + '="' + value + '"';
            } else {
              return name;
            }
          } else {
            // call `onIgnoreTagAttr()`
            ret = onIgnoreTagAttr(tag, name, value, isWhiteAttr);
            if (!isNull(ret)) return ret;
            return;
          }
        });

        // build new tag html
        html = "<" + tag;
        if (attrsHtml) html += " " + attrsHtml;
        if (attrs.closing) html += " /";
        html += ">";
        return html;
      } else {
        // call `onIgnoreTag()`
        ret = onIgnoreTag(tag, html, info);
        if (!isNull(ret)) return ret;
        return escapeHtml(html);
      }
    },
    escapeHtml
  );

  // if enable stripIgnoreTagBody
  if (stripIgnoreTagBody) {
    retHtml = stripIgnoreTagBody.remove(retHtml);
  }

  return retHtml;
};

module.exports = FilterXSS;
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`/**`
translate all comments to English 2017-12-21 14:19:10 +08:00			`* filter xss`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`*`
translate all comments to English 2017-12-21 14:19:10 +08:00			`* @author Zongmin Lei<leizongmin@gmail.com>`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`*/`

reformat by prettier 2017-12-21 14:22:34 +08:00			`var FilterCSS = require("cssfilter").FilterCSS;`
			`var DEFAULT = require("./default");`
			`var parser = require("./parser");`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`var parseTag = parser.parseTag;`
			`var parseAttr = parser.parseAttr;`
reformat by prettier 2017-12-21 14:22:34 +08:00			`var _ = require("./util");`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00
			`/**`
translate all comments to English 2017-12-21 14:19:10 +08:00			* returns `true` if the input value is `undefined` or `null`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`*`
			`* @param {Object} obj`
			`* @return {Boolean}`
			`*/`
reformat by prettier 2017-12-21 14:22:34 +08:00			`function isNull(obj) {`
			`return obj === undefined \|\| obj === null;`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`}`

			`/**`
translate all comments to English 2017-12-21 14:19:10 +08:00			`* get attributes for a tag`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`*`
			`* @param {String} html`
			`* @return {Object}`
			`* - {String} html`
			`* - {Boolean} closing`
			`*/`
reformat by prettier 2017-12-21 14:22:34 +08:00			`function getAttrs(html) {`
passed test: assert.equal(xss('<a\ttarget="_blank"\ntitle="bbb">'), '<a target="_blank" title="bbb">'); assert.equal(xss('<a\ntarget="_blank"\ttitle="bbb">'), '<a target="_blank" title="bbb">'); assert.equal(xss('<a\n\n\n\ttarget="_blank"\t\t\t\ntitle="bbb">'), '<a target="_blank" title="bbb">'); 2017-08-31 16:41:44 +08:00			`var i = _.spaceIndex(html);`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`if (i === -1) {`
			`return {`
reformat by prettier 2017-12-21 14:22:34 +08:00			`html: "",`
style: reformat all source code by prettier 2021-05-06 13:32:47 +08:00			`closing: html[html.length - 2] === "/",`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`};`
			`}`
避免窜改 Array.prototype 2015-03-27 16:09:45 +11:00			`html = _.trim(html.slice(i + 1, -1));`
reformat by prettier 2017-12-21 14:22:34 +08:00			`var isClosing = html[html.length - 1] === "/";`
避免窜改 Array.prototype 2015-03-27 16:09:45 +11:00			`if (isClosing) html = _.trim(html.slice(0, -1));`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`return {`
reformat by prettier 2017-12-21 14:22:34 +08:00			`html: html,`
style: reformat all source code by prettier 2021-05-06 13:32:47 +08:00			`closing: isClosing,`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`};`
			`}`

fix: issue #66 no options mutated 2016-12-20 09:13:35 +08:00			`/**`
translate all comments to English 2017-12-21 14:19:10 +08:00			`* shallow copy`
fix: issue #66 no options mutated 2016-12-20 09:13:35 +08:00			`*`
			`* @param {Object} obj`
			`* @return {Object}`
			`*/`
reformat by prettier 2017-12-21 14:22:34 +08:00			`function shallowCopyObject(obj) {`
fix: issue #66 no options mutated 2016-12-20 09:13:35 +08:00			`var ret = {};`
			`for (var i in obj) {`
			`ret[i] = obj[i];`
			`}`
			`return ret;`
			`}`

通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`/**`
translate all comments to English 2017-12-21 14:19:10 +08:00			`* FilterXSS class`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`*`
v0.2.0 使用cssfilter模块来过滤style属性 2015-05-05 22:50:56 +08:00			`* @param {Object} options`
feat: add support for allowList as an alias for whiteList 2021-12-13 13:11:43 -05:00			`* whiteList (or allowList), onTag, onTagAttr, onIgnoreTag,`
v0.2.0 使用cssfilter模块来过滤style属性 2015-05-05 22:50:56 +08:00			`* onIgnoreTagAttr, safeAttrValue, escapeHtml`
			`* stripIgnoreTagBody, allowCommentTag, stripBlankChar`
translate all comments to English 2017-12-21 14:19:10 +08:00			* css{whiteList, onAttr, onIgnoreAttr} `css=false` means don't use `cssfilter`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`*/`
reformat by prettier 2017-12-21 14:22:34 +08:00			`function FilterXSS(options) {`
fix: issue #66 no options mutated 2016-12-20 09:13:35 +08:00			`options = shallowCopyObject(options \|\| {});`
test: stripIgnoreTag 2014-02-13 16:27:49 +08:00
			`if (options.stripIgnoreTag) {`
			`if (options.onIgnoreTag) {`
reformat by prettier 2017-12-21 14:22:34 +08:00			`console.error(`
			`'Notes: cannot use these two options "stripIgnoreTag" and "onIgnoreTag" at the same time'`
			`);`
test: stripIgnoreTag 2014-02-13 16:27:49 +08:00			`}`
			`options.onIgnoreTag = DEFAULT.onIgnoreTagStripAll;`
			`}`

feat: add support for allowList as an alias for whiteList 2021-12-13 13:11:43 -05:00			`options.whiteList = options.whiteList \|\| options.allowList \|\| DEFAULT.whiteList;`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`options.onTag = options.onTag \|\| DEFAULT.onTag;`
			`options.onTagAttr = options.onTagAttr \|\| DEFAULT.onTagAttr;`
			`options.onIgnoreTag = options.onIgnoreTag \|\| DEFAULT.onIgnoreTag;`
			`options.onIgnoreTagAttr = options.onIgnoreTagAttr \|\| DEFAULT.onIgnoreTagAttr;`
			`options.safeAttrValue = options.safeAttrValue \|\| DEFAULT.safeAttrValue;`
fix: comment has encoded (#257) 2022-05-27 22:57:50 +08:00			`options.escapeHtml = options.escapeHtml \|\| (options.allowCommentTag ? DEFAULT.escapeHtmlNotComment : DEFAULT.escapeHtml);`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`this.options = options;`
v0.2.0 使用cssfilter模块来过滤style属性 2015-05-05 22:50:56 +08:00
fix cssFilter, allow pass css=false to disable cssFilter 2016-11-06 11:06:02 +08:00			`if (options.css === false) {`
			`this.cssFilter = false;`
			`} else {`
			`options.css = options.css \|\| {};`
			`this.cssFilter = new FilterCSS(options.css);`
			`}`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`}`

			`/**`
translate all comments to English 2017-12-21 14:19:10 +08:00			`* start process and returns result`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`*`
			`* @param {String} html`
			`* @return {String}`
			`*/`
style: reformat all source code by prettier 2021-05-06 13:32:47 +08:00			`FilterXSS.prototype.process = function (html) {`
translate all comments to English 2017-12-21 14:19:10 +08:00			`// compatible with the input`
reformat by prettier 2017-12-21 14:22:34 +08:00			`html = html \|\| "";`
兼容各种奇葩输入 2015-01-12 14:04:29 +08:00			`html = html.toString();`
reformat by prettier 2017-12-21 14:22:34 +08:00			`if (!html) return "";`
兼容各种奇葩输入 2015-01-12 14:04:29 +08:00
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`var me = this;`
			`var options = me.options;`
			`var whiteList = options.whiteList;`
			`var onTag = options.onTag;`
			`var onIgnoreTag = options.onIgnoreTag;`
			`var onTagAttr = options.onTagAttr;`
			`var onIgnoreTagAttr = options.onIgnoreTagAttr;`
			`var safeAttrValue = options.safeAttrValue;`
v0.2.0 使用cssfilter模块来过滤style属性 2015-05-05 22:50:56 +08:00			`var escapeHtml = options.escapeHtml;`
			`var cssFilter = me.cssFilter;`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00
translate all comments to English 2017-12-21 14:19:10 +08:00			`// remove invisible characters`
过滤是通过设置stripBlankChar=true来过滤不可见字符 2015-01-22 14:20:55 +08:00			`if (options.stripBlankChar) {`
			`html = DEFAULT.stripBlankChar(html);`
			`}`

translate all comments to English 2017-12-21 14:19:10 +08:00			`// remove html comments`
增加新的选项 allowCommentTag 来设置是否允许HTML备注标签，默认false 2014-04-03 11:47:21 +08:00			`if (!options.allowCommentTag) {`
			`html = DEFAULT.stripCommentTag(html);`
			`}`

translate all comments to English 2017-12-21 14:19:10 +08:00			`// if enable stripIgnoreTagBody`
fix stripIgnoreTagBody on file xss.js 2015-12-23 12:22:39 +08:00			`var stripIgnoreTagBody = false;`
test: stripIgnoreTagBody 2014-02-13 18:18:43 +08:00			`if (options.stripIgnoreTagBody) {`
feat: add eslint:recommended check 2022-03-09 19:39:57 +08:00			`stripIgnoreTagBody = DEFAULT.StripTagBody(`
reformat by prettier 2017-12-21 14:22:34 +08:00			`options.stripIgnoreTagBody,`
			`onIgnoreTag`
			`);`
test: stripIgnoreTagBody 2014-02-13 18:18:43 +08:00			`onIgnoreTag = stripIgnoreTagBody.onIgnoreTag;`
			`}`

reformat by prettier 2017-12-21 14:22:34 +08:00			`var retHtml = parseTag(`
			`html,`
style: reformat all source code by prettier 2021-05-06 13:32:47 +08:00			`function (sourcePosition, position, tag, html, isClosing) {`
reformat by prettier 2017-12-21 14:22:34 +08:00			`var info = {`
			`sourcePosition: sourcePosition,`
			`position: position,`
			`isClosing: isClosing,`
feat: add eslint:recommended check 2022-03-09 19:39:57 +08:00			`isWhite: Object.prototype.hasOwnProperty.call(whiteList, tag),`
reformat by prettier 2017-12-21 14:22:34 +08:00			`};`

			// call `onTag()`
			`var ret = onTag(tag, html, info);`
			`if (!isNull(ret)) return ret;`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00
reformat by prettier 2017-12-21 14:22:34 +08:00			`if (info.isWhite) {`
			`if (info.isClosing) {`
			`return "</" + tag + ">";`
			`}`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00
reformat by prettier 2017-12-21 14:22:34 +08:00			`var attrs = getAttrs(html);`
			`var whiteAttrList = whiteList[tag];`
style: reformat all source code by prettier 2021-05-06 13:32:47 +08:00			`var attrsHtml = parseAttr(attrs.html, function (name, value) {`
reformat by prettier 2017-12-21 14:22:34 +08:00			// call `onTagAttr()`
			`var isWhiteAttr = _.indexOf(whiteAttrList, name) !== -1;`
			`var ret = onTagAttr(tag, name, value, isWhiteAttr);`
			`if (!isNull(ret)) return ret;`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00
reformat by prettier 2017-12-21 14:22:34 +08:00			`if (isWhiteAttr) {`
			// call `safeAttrValue()`
			`value = safeAttrValue(tag, name, value, cssFilter);`
			`if (value) {`
			`return name + '="' + value + '"';`
			`} else {`
			`return name;`
			`}`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`} else {`
reformat by prettier 2017-12-21 14:22:34 +08:00			// call `onIgnoreTagAttr()`
feat: add eslint:recommended check 2022-03-09 19:39:57 +08:00			`ret = onIgnoreTagAttr(tag, name, value, isWhiteAttr);`
reformat by prettier 2017-12-21 14:22:34 +08:00			`if (!isNull(ret)) return ret;`
			`return;`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`}`
reformat by prettier 2017-12-21 14:22:34 +08:00			`});`

			`// build new tag html`
feat: add eslint:recommended check 2022-03-09 19:39:57 +08:00			`html = "<" + tag;`
reformat by prettier 2017-12-21 14:22:34 +08:00			`if (attrsHtml) html += " " + attrsHtml;`
			`if (attrs.closing) html += " /";`
			`html += ">";`
			`return html;`
			`} else {`
			// call `onIgnoreTag()`
feat: add eslint:recommended check 2022-03-09 19:39:57 +08:00			`ret = onIgnoreTag(tag, html, info);`
reformat by prettier 2017-12-21 14:22:34 +08:00			`if (!isNull(ret)) return ret;`
			`return escapeHtml(html);`
			`}`
			`},`
			`escapeHtml`
			`);`
test: stripIgnoreTagBody 2014-02-13 18:18:43 +08:00
translate all comments to English 2017-12-21 14:19:10 +08:00			`// if enable stripIgnoreTagBody`
test: stripIgnoreTagBody 2014-02-13 18:18:43 +08:00			`if (stripIgnoreTagBody) {`
			`retHtml = stripIgnoreTagBody.remove(retHtml);`
			`}`

			`return retHtml;`
通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00			`};`

避免窜改 Array.prototype 2015-03-27 16:09:45 +11:00			`module.exports = FilterXSS;`