2012-09-18 23:23:16 +08:00
|
|
|
|
/**
|
|
|
|
|
|
* 测试XSS
|
2014-02-13 16:38:32 +08:00
|
|
|
|
*
|
|
|
|
|
|
* @author 老雷<leizongmin@gmail.com>
|
2012-09-18 23:23:16 +08:00
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
var assert = require('assert');
|
2015-01-22 14:20:55 +08:00
|
|
|
|
var _xss = require('../');
|
2015-12-01 22:10:48 +08:00
|
|
|
|
var debug = require('debug')('xss:test');
|
2015-01-22 14:20:55 +08:00
|
|
|
|
|
|
|
|
|
|
|
2017-08-29 13:58:36 +08:00
|
|
|
|
function xss(html, options) {
|
2015-12-01 22:10:48 +08:00
|
|
|
|
debug(JSON.stringify(html));
|
2015-01-22 14:20:55 +08:00
|
|
|
|
var ret = _xss(html, options);
|
2015-12-01 22:10:48 +08:00
|
|
|
|
debug('\t' + JSON.stringify(ret));
|
2015-01-22 14:20:55 +08:00
|
|
|
|
return ret;
|
|
|
|
|
|
}
|
2012-09-18 23:23:16 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
describe('test XSS', function () {
|
|
|
|
|
|
|
|
|
|
|
|
it('#normal', function () {
|
|
|
|
|
|
|
2015-01-12 14:04:29 +08:00
|
|
|
|
// 兼容各种奇葩输入
|
|
|
|
|
|
assert.equal(xss(), '');
|
|
|
|
|
|
assert.equal(xss(null), '');
|
|
|
|
|
|
assert.equal(xss(123), '123');
|
2017-08-29 13:58:36 +08:00
|
|
|
|
assert.equal(xss({ a: 1111 }), '[object Object]');
|
2015-01-12 14:04:29 +08:00
|
|
|
|
|
2015-01-20 13:06:54 +08:00
|
|
|
|
// 清除不可见字符
|
2015-01-22 14:20:55 +08:00
|
|
|
|
assert.equal(xss('a\u0000\u0001\u0002\u0003\r\n b'), 'a\u0000\u0001\u0002\u0003\r\n b');
|
2017-08-29 13:58:36 +08:00
|
|
|
|
assert.equal(xss('a\u0000\u0001\u0002\u0003\r\n b', { stripBlankChar: true }), 'a\r\n b');
|
2015-01-20 13:06:54 +08:00
|
|
|
|
|
2012-09-18 23:23:16 +08:00
|
|
|
|
// 过滤不在白名单的标签
|
|
|
|
|
|
assert.equal(xss('<b>abcd</b>'), '<b>abcd</b>');
|
|
|
|
|
|
assert.equal(xss('<o>abcd</o>'), '<o>abcd</o>');
|
|
|
|
|
|
assert.equal(xss('<b>abcd</o>'), '<b>abcd</o>');
|
|
|
|
|
|
assert.equal(xss('<b><o>abcd</b></o>'), '<b><o>abcd</b></o>');
|
|
|
|
|
|
assert.equal(xss('<hr>'), '<hr>');
|
|
|
|
|
|
assert.equal(xss('<xss>'), '<xss>');
|
|
|
|
|
|
assert.equal(xss('<xss o="x">'), '<xss o="x">');
|
|
|
|
|
|
assert.equal(xss('<a><b>c</b></a>'), '<a><b>c</b></a>');
|
|
|
|
|
|
assert.equal(xss('<a><c>b</c></a>'), '<a><c>b</c></a>');
|
|
|
|
|
|
|
|
|
|
|
|
// 过滤不是标签的<>
|
|
|
|
|
|
assert.equal(xss('<>>'), '<>>');
|
2015-05-06 11:36:56 +08:00
|
|
|
|
assert.equal(xss('<scri' + 'pt>'), '<script>');
|
2012-09-18 23:23:16 +08:00
|
|
|
|
assert.equal(xss('<<a>b>'), '<<a>b>');
|
|
|
|
|
|
assert.equal(xss('<<<a>>b</a><x>'), '<<<a>>b</a><x>');
|
|
|
|
|
|
|
2013-11-05 15:40:17 +08:00
|
|
|
|
// 过滤不在白名单中的属性
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a oo="1" xx="2" title="3">yy</a>'), '<a title="3">yy</a>');
|
|
|
|
|
|
assert.equal(xss('<a title xx oo>pp</a>'), '<a title>pp</a>');
|
|
|
|
|
|
assert.equal(xss('<a title "">pp</a>'), '<a title>pp</a>');
|
2012-09-18 23:23:16 +08:00
|
|
|
|
assert.equal(xss('<a t="">'), '<a>');
|
|
|
|
|
|
|
|
|
|
|
|
// 属性内的特殊字符
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a title="\'<<>>">'), '<a title="\'<<>>">');
|
2015-08-18 18:33:56 +08:00
|
|
|
|
assert.equal(xss('<a title=""">'), '<a title>');
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a h=title="oo">'), '<a>');
|
2015-08-02 21:20:36 +08:00
|
|
|
|
assert.equal(xss('<a h= title="oo">'), '<a>');
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a title="javascript&colonalert(/xss/)">'), '<a title="javascript:alert(/xss/)">');
|
2015-08-18 18:33:56 +08:00
|
|
|
|
assert.equal(xss('<a title"hell aa="fdfd title="ok">hello</a>'), '<a>hello</a>');
|
2012-09-19 08:20:38 +08:00
|
|
|
|
|
|
|
|
|
|
// 自动将属性值的单引号转为双引号
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a title=\'abcd\'>'), '<a title="abcd">');
|
2014-12-06 16:25:35 +08:00
|
|
|
|
assert.equal(xss('<a title=\'"\'>'), '<a title=""">');
|
2012-09-19 08:20:38 +08:00
|
|
|
|
|
2012-09-19 09:04:23 +08:00
|
|
|
|
// 没有双引号括起来的属性值
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a title=home>'), '<a title="home">');
|
2014-12-06 16:25:35 +08:00
|
|
|
|
assert.equal(xss('<a title=abc("d")>'), '<a title="abc("d")">');
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a title=abc(\'d\')>'), '<a title="abc(\'d\')">');
|
2012-09-19 09:04:23 +08:00
|
|
|
|
|
2012-09-20 20:30:32 +08:00
|
|
|
|
// 单个闭合标签
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<img src/>'), '<img src />');
|
|
|
|
|
|
assert.equal(xss('<img src />'), '<img src />');
|
|
|
|
|
|
assert.equal(xss('<img src//>'), '<img src />');
|
2013-11-05 15:40:17 +08:00
|
|
|
|
assert.equal(xss('<br/>'), '<br />');
|
|
|
|
|
|
assert.equal(xss('<br />'), '<br />');
|
2012-09-20 20:30:32 +08:00
|
|
|
|
|
2015-08-02 21:20:36 +08:00
|
|
|
|
// 畸形属性格式
|
|
|
|
|
|
assert.equal(xss('<a target = "_blank" title ="bbb">'), '<a target="_blank" title="bbb">');
|
|
|
|
|
|
assert.equal(xss('<a target = "_blank" title = title = "bbb">'), '<a target="_blank" title="title">');
|
|
|
|
|
|
assert.equal(xss('<img width = 100 height =200 title="xxx">'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<img width="100" height="200" title="xxx">');
|
2015-08-02 21:20:36 +08:00
|
|
|
|
assert.equal(xss('<img width = 100 height =200 title=xxx>'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<img width="100" height="200" title="xxx">');
|
2015-08-02 21:20:36 +08:00
|
|
|
|
assert.equal(xss('<img width = 100 height =200 title= xxx>'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<img width="100" height="200" title="xxx">');
|
2015-08-02 21:20:36 +08:00
|
|
|
|
assert.equal(xss('<img width = 100 height =200 title= "xxx">'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<img width="100" height="200" title="xxx">');
|
2015-08-02 21:20:36 +08:00
|
|
|
|
assert.equal(xss('<img width = 100 height =200 title= \'xxx\'>'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<img width="100" height="200" title="xxx">');
|
2015-08-02 21:20:36 +08:00
|
|
|
|
assert.equal(xss('<img width = 100 height =200 title = \'xxx\'>'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<img width="100" height="200" title="xxx">');
|
2015-08-02 21:20:36 +08:00
|
|
|
|
assert.equal(xss('<img width = 100 height =200 title= "xxx" no=yes alt="yyy">'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<img width="100" height="200" title="xxx" alt="yyy">');
|
2015-08-02 21:20:36 +08:00
|
|
|
|
assert.equal(xss('<img width = 100 height =200 title= "xxx" no=yes alt="\'yyy\'">'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<img width="100" height="200" title="xxx" alt="\'yyy\'">');
|
2015-08-02 21:20:36 +08:00
|
|
|
|
|
2012-09-18 23:23:16 +08:00
|
|
|
|
});
|
2014-02-13 15:01:39 +08:00
|
|
|
|
|
2012-09-19 19:56:20 +08:00
|
|
|
|
// 自定义白名单
|
2012-09-18 23:23:16 +08:00
|
|
|
|
it('#white list', function () {
|
|
|
|
|
|
|
|
|
|
|
|
// 过滤所有标签
|
2017-08-29 13:58:36 +08:00
|
|
|
|
assert.equal(xss('<a title="xx">bb</a>', { whiteList: {} }), '<a title="xx">bb</a>');
|
|
|
|
|
|
assert.equal(xss('<hr>', { whiteList: {} }), '<hr>');
|
2012-09-18 23:23:16 +08:00
|
|
|
|
// 增加白名单标签及属性
|
2017-08-29 13:58:36 +08:00
|
|
|
|
assert.equal(xss('<ooxx yy="ok" cc="no">uu</ooxx>', { whiteList: { ooxx: ['yy'] } }), '<ooxx yy="ok">uu</ooxx>');
|
2012-09-18 23:23:16 +08:00
|
|
|
|
|
|
|
|
|
|
});
|
2012-09-19 19:56:20 +08:00
|
|
|
|
|
2012-09-19 09:04:23 +08:00
|
|
|
|
// XSS攻击测试:https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
|
|
|
|
|
|
it('#XSS_Filter_Evasion_Cheat_Sheet', function () {
|
|
|
|
|
|
|
2015-05-06 11:36:56 +08:00
|
|
|
|
assert.equal(xss('></SCRI' + 'PT>">\'><SCRI' + 'PT>alert(String.fromCharCode(88,83,83))</SCRI' + 'PT>'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>');
|
2012-09-19 09:04:23 +08:00
|
|
|
|
|
|
|
|
|
|
assert.equal(xss(';!--"<XSS>=&{()}'), ';!--"<XSS>=&{()}');
|
|
|
|
|
|
|
2015-05-06 11:36:56 +08:00
|
|
|
|
assert.equal(xss('<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRI' + 'PT>'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>');
|
2012-09-19 09:04:23 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\');">'), '<img src>');
|
2012-09-19 09:04:23 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC=javascript:alert(\'XSS\')>'), '<img src>');
|
2012-09-19 09:04:23 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>'), '<img src>');
|
2012-09-19 10:12:10 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>'), '<img src>');
|
2012-09-19 10:12:10 +08:00
|
|
|
|
|
2015-08-18 18:33:56 +08:00
|
|
|
|
assert.equal(xss('<IMG """><SCRI' + 'PT>alert("XSS")</SCRI' + 'PT>">'), '<img><SCRIPT>alert("XSS")</SCRIPT>">');
|
2012-09-19 10:12:10 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>'), '<img src>');
|
2012-09-19 10:12:10 +08:00
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<IMG SRC=javascript:alert('XSS')>'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<img src>');
|
2012-09-19 10:12:10 +08:00
|
|
|
|
|
2013-12-24 12:10:18 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC=javascript:alert('XSS')>'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<img src>');
|
2012-09-19 10:27:24 +08:00
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<IMG SRC=javascript:alert('XSS')>'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<img src>');
|
2012-09-19 10:27:24 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="jav ascript:alert(\'XSS\');">'), '<img src>');
|
2012-09-19 10:27:24 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="jav	ascript:alert(\'XSS\');">'), '<img src>');
|
2012-09-19 10:44:26 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="jav\nascript:alert(\'XSS\');">'), '<img src>');
|
2012-09-19 10:44:26 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC=java\0script:alert(\"XSS\")>'), '<img src>');
|
2012-09-19 10:44:26 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="  javascript:alert(\'XSS\');">'), '<img src>');
|
2012-09-19 10:44:26 +08:00
|
|
|
|
|
2015-05-06 11:36:56 +08:00
|
|
|
|
assert.equal(xss('<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRI' + 'PT>'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>');
|
2012-09-19 10:44:26 +08:00
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<BODY onload!#$%&()*~+-_.,:;?@[/|]^`=alert(\"XSS\")>');
|
2012-09-19 10:44:26 +08:00
|
|
|
|
|
2015-05-06 11:36:56 +08:00
|
|
|
|
assert.equal(xss('<<SCRI' + 'PT>alert("XSS");//<</SCRI' + 'PT>'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<<SCRIPT>alert(\"XSS\");//<</SCRIPT>');
|
2012-09-19 10:44:26 +08:00
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >');
|
2012-09-19 10:44:26 +08:00
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<SCRIPT SRC=//ha.ckers.org/.j'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<SCRIPT SRC=//ha.ckers.org/.j');
|
2012-09-19 10:44:26 +08:00
|
|
|
|
|
2017-07-12 19:32:43 +08:00
|
|
|
|
assert.equal(xss('<ſcript src="https://xss.haozi.me/j.js"></ſcript>'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<ſcript src="https://xss.haozi.me/j.js"></ſcript>');
|
2017-07-12 19:32:43 +08:00
|
|
|
|
|
2012-09-19 11:10:16 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\')"'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<IMG SRC=\"javascript:alert(\'XSS\')"');
|
2012-09-19 11:10:16 +08:00
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<iframe src=http://ha.ckers.org/scriptlet.html <'),
|
2017-08-29 13:58:36 +08:00
|
|
|
|
'<iframe src=http://ha.ckers.org/scriptlet.html <');
|
2012-09-19 11:10:16 +08:00
|
|
|
|
|
2014-02-20 10:44:08 +08:00
|
|
|
|
// 过滤 javascript:
|
2017-08-29 13:58:36 +08:00
|
|
|
|
assert.equal(xss('<a style="url(\'javascript:alert(1)\')">', { whiteList: { a: ['style'] } }), '<a style>');
|
|
|
|
|
|
assert.equal(xss('<td background="url(\'javascript:alert(1)\')">', { whiteList: { td: ['background'] } }), '<td background>');
|
2012-09-19 11:10:16 +08:00
|
|
|
|
|
2014-02-20 10:44:08 +08:00
|
|
|
|
// 过滤 style
|
2017-08-29 13:58:36 +08:00
|
|
|
|
assert.equal(xss('<DIV STYLE="width: \nexpression(alert(1));">', { whiteList: { div: ['style'] } }), '<div style>');
|
2014-02-20 10:44:08 +08:00
|
|
|
|
// 不正常的url
|
2017-08-29 13:58:36 +08:00
|
|
|
|
assert.equal(xss('<DIV STYLE="background:\n url (javascript:ooxx);">', { whiteList: { div: ['style'] } }), '<div style>');
|
|
|
|
|
|
assert.equal(xss('<DIV STYLE="background:url (javascript:ooxx);">', { whiteList: { div: ['style'] } }), '<div style>');
|
2014-02-20 10:44:08 +08:00
|
|
|
|
// 正常的url
|
2017-08-29 13:58:36 +08:00
|
|
|
|
assert.equal(xss('<DIV STYLE="background: url (ooxx);">', { whiteList: { div: ['style'] } }), '<div style="background:url (ooxx);">');
|
2014-02-20 10:44:08 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC=\'vbscript:msgbox("XSS")\'>'), '<img src>');
|
2012-09-19 11:10:16 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="livescript:[code]">'), '<img src>');
|
2012-09-19 11:10:16 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="mocha:[code]">'), '<img src>');
|
2012-09-19 11:10:16 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<a href="javas/**/cript:alert(\'XSS\');">'), '<a href>');
|
2012-09-19 11:10:16 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<a href="javascript">'), '<a href>');
|
2013-12-24 13:13:28 +08:00
|
|
|
|
assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
|
|
|
|
|
|
assert.equal(xss('<a href="http://aa.com">'), '<a href="http://aa.com">');
|
|
|
|
|
|
assert.equal(xss('<a href="https://aa.com">'), '<a href="https://aa.com">');
|
2014-11-28 15:23:14 +08:00
|
|
|
|
assert.equal(xss('<a href="mailto:me@ucdok.com">'), '<a href="mailto:me@ucdok.com">');
|
2015-12-01 21:53:59 +08:00
|
|
|
|
assert.equal(xss('<a href="#hello">'), '<a href="#hello">');
|
2014-11-28 15:23:14 +08:00
|
|
|
|
assert.equal(xss('<a href="other">'), '<a href>');
|
2013-12-24 13:13:28 +08:00
|
|
|
|
|
2012-09-19 11:10:16 +08:00
|
|
|
|
// 这个暂时不知道怎么处理
|
|
|
|
|
|
//assert.equal(xss('¼script¾alert(¢XSS¢)¼/script¾'), '');
|
|
|
|
|
|
|
2017-08-29 13:58:36 +08:00
|
|
|
|
assert.equal(xss('<!--[if gte IE 4]><SCRI' + 'PT>alert(\'XSS\');</SCRI' + 'PT><![endif]--> END', { allowCommentTag: true }),
|
|
|
|
|
|
'<!--[if gte IE 4]><SCRIPT>alert(\'XSS\');</SCRIPT><![endif]--> END');
|
2015-05-06 11:36:56 +08:00
|
|
|
|
assert.equal(xss('<!--[if gte IE 4]><SCRI' + 'PT>alert(\'XSS\');</SCRI' + 'PT><![endif]--> END'), ' END');
|
2012-09-19 11:10:16 +08:00
|
|
|
|
|
2013-12-24 12:23:47 +08:00
|
|
|
|
// HTML5新增实体编码 冒号: 换行

|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<a href="javascript:alert(/xss/)">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="javascript&colonalert(/xss/)">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="a
b">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="a&NewLineb">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="javasc
ript:alert(1)">'), '<a href>');
|
2013-12-24 13:38:57 +08:00
|
|
|
|
|
2014-02-18 14:27:27 +08:00
|
|
|
|
// data URI 协议过滤
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<a href="data:">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="d a t a : ">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="data: html/text;">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="data:html/text;">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="data:html /text;">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="data: image/text;">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<img src="data: aaa/text;">'), '<img src>');
|
|
|
|
|
|
assert.equal(xss('<img src="data:image/png; base64; ofdkofiodiofl">'), '<img src>');
|
2013-12-24 13:38:57 +08:00
|
|
|
|
|
2014-09-12 12:23:36 +08:00
|
|
|
|
// HTML备注处理
|
2017-08-29 13:58:36 +08:00
|
|
|
|
assert.equal(xss('<!-- -->', { allowCommentTag: false }), '');
|
|
|
|
|
|
assert.equal(xss('<!-- a -->', { allowCommentTag: false }), '');
|
|
|
|
|
|
assert.equal(xss('<!--sa -->ss', { allowCommentTag: false }), 'ss');
|
|
|
|
|
|
assert.equal(xss('<!-- ', { allowCommentTag: false }), '<!-- ');
|
2014-09-12 12:23:36 +08:00
|
|
|
|
|
2012-09-19 09:04:23 +08:00
|
|
|
|
});
|
|
|
|
|
|
|
2016-12-20 09:13:35 +08:00
|
|
|
|
it('no options mutated', function () {
|
2017-08-29 13:58:36 +08:00
|
|
|
|
var options = {};
|
2016-12-20 09:13:35 +08:00
|
|
|
|
|
2017-08-29 13:58:36 +08:00
|
|
|
|
var ret = xss('test', options);
|
|
|
|
|
|
// console.log(options);
|
|
|
|
|
|
assert.deepEqual(options, {});
|
2016-12-20 09:13:35 +08:00
|
|
|
|
|
2017-08-29 13:58:36 +08:00
|
|
|
|
var ret2 = new _xss.FilterXSS(options);
|
|
|
|
|
|
// console.log(options);
|
|
|
|
|
|
assert.deepEqual(options, {});
|
2016-12-20 09:13:35 +08:00
|
|
|
|
});
|
|
|
|
|
|
|
2012-09-18 23:23:16 +08:00
|
|
|
|
});
|
