js-xss/test/test_xss.js

/**
 * 测试XSS
 *
 * @author 老雷<leizongmin@gmail.com>
 */

var assert = require('assert');
var _xss = require('../');
var debug = require('debug')('xss:test');


function xss (html, options) {
  debug(JSON.stringify(html));
  var ret = _xss(html, options);
  debug('\t' + JSON.stringify(ret));
  return ret;
}


describe('test XSS', function () {

  it('#normal', function () {

    // 兼容各种奇葩输入
    assert.equal(xss(), '');
    assert.equal(xss(null), '');
    assert.equal(xss(123), '123');
    assert.equal(xss({a: 1111}), '[object Object]');

    // 清除不可见字符
    assert.equal(xss('a\u0000\u0001\u0002\u0003\r\n b'), 'a\u0000\u0001\u0002\u0003\r\n b');
    assert.equal(xss('a\u0000\u0001\u0002\u0003\r\n b', {stripBlankChar: true}), 'a\r\n b');

    // 过滤不在白名单的标签
    assert.equal(xss('<b>abcd</b>'), '<b>abcd</b>');
    assert.equal(xss('<o>abcd</o>'), '&lt;o&gt;abcd&lt;/o&gt;');
    assert.equal(xss('<b>abcd</o>'), '<b>abcd&lt;/o&gt;');
    assert.equal(xss('<b><o>abcd</b></o>'), '<b>&lt;o&gt;abcd</b>&lt;/o&gt;');
    assert.equal(xss('<hr>'), '<hr>');
    assert.equal(xss('<xss>'), '&lt;xss&gt;');
    assert.equal(xss('<xss o="x">'), '&lt;xss o="x"&gt;');
    assert.equal(xss('<a><b>c</b></a>'), '<a><b>c</b></a>');
    assert.equal(xss('<a><c>b</c></a>'), '<a>&lt;c&gt;b&lt;/c&gt;</a>');

    // 过滤不是标签的<>
    assert.equal(xss('<>>'), '&lt;&gt;&gt;');
    assert.equal(xss('<scri' + 'pt>'), '&lt;script&gt;');
    assert.equal(xss('<<a>b>'), '&lt;<a>b&gt;');
    assert.equal(xss('<<<a>>b</a><x>'), '&lt;&lt;<a>&gt;b</a>&lt;x&gt;');

    // 过滤不在白名单中的属性
    assert.equal(xss('<a oo="1" xx="2" title="3">yy</a>'), '<a title="3">yy</a>');
    assert.equal(xss('<a title xx oo>pp</a>'), '<a title>pp</a>');
    assert.equal(xss('<a title "">pp</a>'), '<a title>pp</a>');
    assert.equal(xss('<a t="">'), '<a>');

    // 属性内的特殊字符
    assert.equal(xss('<a title="\'<<>>">'), '<a title="\'&lt;&lt;&gt;&gt;">');
    assert.equal(xss('<a title=""">'), '<a title>');
    assert.equal(xss('<a h=title="oo">'), '<a>');
    assert.equal(xss('<a h= title="oo">'), '<a>');
    assert.equal(xss('<a title="javascript&colonalert(/xss/)">'), '<a title="javascript:alert(/xss/)">');
    assert.equal(xss('<a title"hell aa="fdfd title="ok">hello</a>'), '<a>hello</a>');

    // 自动将属性值的单引号转为双引号
    assert.equal(xss('<a title=\'abcd\'>'), '<a title="abcd">');
    assert.equal(xss('<a title=\'"\'>'), '<a title="&quot;">');

    // 没有双引号括起来的属性值
    assert.equal(xss('<a title=home>'), '<a title="home">');
    assert.equal(xss('<a title=abc("d")>'), '<a title="abc(&quot;d&quot;)">');
    assert.equal(xss('<a title=abc(\'d\')>'), '<a title="abc(\'d\')">');

    // 单个闭合标签
    assert.equal(xss('<img src/>'), '<img src />');
    assert.equal(xss('<img src />'), '<img src />');
    assert.equal(xss('<img src//>'), '<img src />');
    assert.equal(xss('<br/>'), '<br />');
    assert.equal(xss('<br />'), '<br />');

    // 畸形属性格式
    assert.equal(xss('<a target = "_blank" title ="bbb">'), '<a target="_blank" title="bbb">');
    assert.equal(xss('<a target = "_blank" title =  title =  "bbb">'), '<a target="_blank" title="title">');
    assert.equal(xss('<img width = 100    height     =200 title="xxx">'),
                     '<img width="100" height="200" title="xxx">');
    assert.equal(xss('<img width = 100    height     =200 title=xxx>'),
                     '<img width="100" height="200" title="xxx">');
    assert.equal(xss('<img width = 100    height     =200 title= xxx>'),
                     '<img width="100" height="200" title="xxx">');
    assert.equal(xss('<img width = 100    height     =200 title= "xxx">'),
                     '<img width="100" height="200" title="xxx">');
    assert.equal(xss('<img width = 100    height     =200 title= \'xxx\'>'),
                     '<img width="100" height="200" title="xxx">');
    assert.equal(xss('<img width = 100    height     =200 title = \'xxx\'>'),
                     '<img width="100" height="200" title="xxx">');
    assert.equal(xss('<img width = 100    height     =200 title= "xxx" no=yes alt="yyy">'),
                     '<img width="100" height="200" title="xxx" alt="yyy">');
    assert.equal(xss('<img width = 100    height     =200 title= "xxx" no=yes alt="\'yyy\'">'),
                     '<img width="100" height="200" title="xxx" alt="\'yyy\'">');

  });

  // 自定义白名单
  it('#white list', function () {

    // 过滤所有标签
    assert.equal(xss('<a title="xx">bb</a>', {whiteList: {}}), '&lt;a title="xx"&gt;bb&lt;/a&gt;');
    assert.equal(xss('<hr>', {whiteList: {}}), '&lt;hr&gt;');
    // 增加白名单标签及属性
    assert.equal(xss('<ooxx yy="ok" cc="no">uu</ooxx>', {whiteList: {ooxx: ['yy']}}), '<ooxx yy="ok">uu</ooxx>');

  });

  // XSS攻击测试：https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  it('#XSS_Filter_Evasion_Cheat_Sheet', function () {

    assert.equal(xss('></SCRI' + 'PT>">\'><SCRI' + 'PT>alert(String.fromCharCode(88,83,83))</SCRI' + 'PT>'),
        '&gt;&lt;/SCRIPT&gt;"&gt;\'&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;');

    assert.equal(xss(';!--"<XSS>=&{()}'), ';!--"&lt;XSS&gt;=&{()}');

    assert.equal(xss('<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRI' + 'PT>'),
        '&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;');

    assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\');">'), '<img src>');

    assert.equal(xss('<IMG SRC=javascript:alert(\'XSS\')>'), '<img src>');

    assert.equal(xss('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>'), '<img src>');

    assert.equal(xss('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>'), '<img src>');

    assert.equal(xss('<IMG """><SCRI' + 'PT>alert("XSS")</SCRI' + 'PT>">'), '<img>&lt;SCRIPT&gt;alert("XSS")&lt;/SCRIPT&gt;"&gt;');

    assert.equal(xss('<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>'), '<img src>');

    assert.equal(xss('<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>'),
        '<img src>');

    assert.equal(xss('<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>'),
        '<img src>');

    assert.equal(xss('<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>'),
        '<img src>');

    assert.equal(xss('<IMG SRC="jav ascript:alert(\'XSS\');">'), '<img src>');

    assert.equal(xss('<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">'), '<img src>');

    assert.equal(xss('<IMG SRC="jav\nascript:alert(\'XSS\');">'), '<img src>');

    assert.equal(xss('<IMG SRC=java\0script:alert(\"XSS\")>'), '<img src>');

    assert.equal(xss('<IMG SRC=" &#14;  javascript:alert(\'XSS\');">'), '<img src>');

    assert.equal(xss('<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRI' + 'PT>'),
        '&lt;SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/SCRIPT&gt;');

    assert.equal(xss('<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>'),
        '&lt;BODY onload!#$%&()*~+-_.,:;?@[/|]^`=alert(\"XSS\")&gt;');

    assert.equal(xss('<<SCRI' + 'PT>alert("XSS");//<</SCRI' + 'PT>'),
        '&lt;&lt;SCRIPT&gt;alert(\"XSS\");//&lt;&lt;/SCRIPT&gt;');

    assert.equal(xss('<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >'),
        '&lt;SCRIPT SRC=http://ha.ckers.org/xss.js?&lt; B &gt;');

    assert.equal(xss('<SCRIPT SRC=//ha.ckers.org/.j'),
        '&lt;SCRIPT SRC=//ha.ckers.org/.j');

    assert.equal(xss('<ſcript src="https://xss.haozi.me/j.js"></ſcript>'),
        '&lt;ſcript src="https://xss.haozi.me/j.js"&gt;&lt;/ſcript&gt;');

    assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\')"'),
        '&lt;IMG SRC=\"javascript:alert(\'XSS\')"');

    assert.equal(xss('<iframe src=http://ha.ckers.org/scriptlet.html <'),
        '&lt;iframe src=http://ha.ckers.org/scriptlet.html &lt;');

    // 过滤 javascript:
    assert.equal(xss('<a style="url(\'javascript:alert(1)\')">', {whiteList: {a: ['style']}}), '<a style>');
    assert.equal(xss('<td background="url(\'javascript:alert(1)\')">', {whiteList: {td: ['background']}}), '<td background>');

    // 过滤 style
    assert.equal(xss('<DIV STYLE="width: \nexpression(alert(1));">', {whiteList: {div: ['style']}}), '<div style>');
    // 不正常的url
    assert.equal(xss('<DIV STYLE="background:\n url (javascript:ooxx);">', {whiteList: {div: ['style']}}), '<div style>');
    assert.equal(xss('<DIV STYLE="background:url (javascript:ooxx);">', {whiteList: {div: ['style']}}), '<div style>');
    // 正常的url
    assert.equal(xss('<DIV STYLE="background: url (ooxx);">', {whiteList: {div: ['style']}}), '<div style="background:url (ooxx);">');

    assert.equal(xss('<IMG SRC=\'vbscript:msgbox("XSS")\'>'), '<img src>');

    assert.equal(xss('<IMG SRC="livescript:[code]">'), '<img src>');

    assert.equal(xss('<IMG SRC="mocha:[code]">'), '<img src>');

    assert.equal(xss('<a href="javas/**/cript:alert(\'XSS\');">'), '<a href>');

    assert.equal(xss('<a href="javascript">'), '<a href>');
    assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
    assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
    assert.equal(xss('<a href="http://aa.com">'), '<a href="http://aa.com">');
    assert.equal(xss('<a href="https://aa.com">'), '<a href="https://aa.com">');
    assert.equal(xss('<a href="mailto:me@ucdok.com">'), '<a href="mailto:me@ucdok.com">');
    assert.equal(xss('<a href="#hello">'), '<a href="#hello">');
    assert.equal(xss('<a href="other">'), '<a href>');

    // 这个暂时不知道怎么处理
    //assert.equal(xss('¼script¾alert(¢XSS¢)¼/script¾'), '');

    assert.equal(xss('<!--[if gte IE 4]><SCRI' + 'PT>alert(\'XSS\');</SCRI' + 'PT><![endif]--> END', {allowCommentTag: true}),
        '&lt;!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert(\'XSS\');&lt;/SCRIPT&gt;&lt;![endif]--&gt; END');
    assert.equal(xss('<!--[if gte IE 4]><SCRI' + 'PT>alert(\'XSS\');</SCRI' + 'PT><![endif]--> END'), ' END');

    // HTML5新增实体编码 冒号&colon; 换行&NewLine;
    assert.equal(xss('<a href="javascript&colon;alert(/xss/)">'), '<a href>');
    assert.equal(xss('<a href="javascript&colonalert(/xss/)">'), '<a href>');
    assert.equal(xss('<a href="a&NewLine;b">'), '<a href>');
    assert.equal(xss('<a href="a&NewLineb">'), '<a href>');
    assert.equal(xss('<a href="javasc&NewLine;ript&colon;alert(1)">'), '<a href>');

    // data URI 协议过滤
    assert.equal(xss('<a href="data:">'), '<a href>');
    assert.equal(xss('<a href="d a t a : ">'), '<a href>');
    assert.equal(xss('<a href="data: html/text;">'), '<a href>');
    assert.equal(xss('<a href="data:html/text;">'), '<a href>');
    assert.equal(xss('<a href="data:html /text;">'), '<a href>');
    assert.equal(xss('<a href="data: image/text;">'), '<a href>');
    assert.equal(xss('<img src="data: aaa/text;">'), '<img src>');
    assert.equal(xss('<img src="data:image/png; base64; ofdkofiodiofl">'), '<img src>');

    // HTML备注处理
    assert.equal(xss('<!--                               -->', {allowCommentTag: false}), '');
    assert.equal(xss('<!--      a           -->', {allowCommentTag: false}), '');
    assert.equal(xss('<!--sa       -->ss', {allowCommentTag: false}), 'ss');
    assert.equal(xss('<!--                               ', {allowCommentTag: false}), '&lt;!--                               ');

  });

  it('no options mutated', function () {
      var options = {};

      var ret = xss('test', options);
      console.log(options);
      assert.deepEqual(options, {});

      var ret2 = new _xss.FilterXSS(options);
      console.log(options);
      assert.deepEqual(options, {});
  });

});
-												基本代码及测试

											
										
										
											2012-09-18 23:23:16 +08:00
+								/**
 								 * 测试XSS
-												测试文件

											
										
										
											2014-02-13 16:38:32 +08:00
+								 *
 								 * @author 老雷<leizongmin@gmail.com>
-												基本代码及测试

											
										
										
											2012-09-18 23:23:16 +08:00
+								 */
 								var assert = require('assert');
-												过滤是通过设置stripBlankChar=true来过滤不可见字符

											
										
										
											2015-01-22 14:20:55 +08:00
+								var _xss = require('../');
-												单元测试使用debug显示输出

											
										
										
											2015-12-01 22:10:48 +08:00
+								var debug = require('debug')('xss:test');
-												过滤是通过设置stripBlankChar=true来过滤不可见字符

											
										
										
											2015-01-22 14:20:55 +08:00
 								function xss (html, options) {
-												单元测试使用debug显示输出

											
										
										
											2015-12-01 22:10:48 +08:00
+								  debug(JSON.stringify(html));
-												过滤是通过设置stripBlankChar=true来过滤不可见字符

											
										
										
											2015-01-22 14:20:55 +08:00
+								  var ret = _xss(html, options);
-												单元测试使用debug显示输出

											
										
										
											2015-12-01 22:10:48 +08:00
+								  debug('\t' + JSON.stringify(ret));
-												过滤是通过设置stripBlankChar=true来过滤不可见字符

											
										
										
											2015-01-22 14:20:55 +08:00
+								  return ret;
 								}
-												基本代码及测试

											
										
										
											2012-09-18 23:23:16 +08:00
 								describe('test XSS', function () {
 								  it('#normal', function () {
-												兼容各种奇葩输入

											
										
										
											2015-01-12 14:04:29 +08:00
+								    // 兼容各种奇葩输入
 								    assert.equal(xss(), '');
 								    assert.equal(xss(null), '');
 								    assert.equal(xss(123), '123');
 								    assert.equal(xss({a: 1111}), '[object Object]');
-												自动清除不可见字符

											
										
										
											2015-01-20 13:06:54 +08:00
+								    // 清除不可见字符
-												过滤是通过设置stripBlankChar=true来过滤不可见字符

											
										
										
											2015-01-22 14:20:55 +08:00
+								    assert.equal(xss('a\u0000\u0001\u0002\u0003\r\n b'), 'a\u0000\u0001\u0002\u0003\r\n b');
 								    assert.equal(xss('a\u0000\u0001\u0002\u0003\r\n b', {stripBlankChar: true}), 'a\r\n b');
-												自动清除不可见字符

											
										
										
											2015-01-20 13:06:54 +08:00
-												基本代码及测试

											
										
										
											2012-09-18 23:23:16 +08:00
+								    // 过滤不在白名单的标签
 								    assert.equal(xss('<b>abcd</b>'), '<b>abcd</b>');
 								    assert.equal(xss('<o>abcd</o>'), '&lt;o&gt;abcd&lt;/o&gt;');
 								    assert.equal(xss('<b>abcd</o>'), '<b>abcd&lt;/o&gt;');
 								    assert.equal(xss('<b><o>abcd</b></o>'), '<b>&lt;o&gt;abcd</b>&lt;/o&gt;');
 								    assert.equal(xss('<hr>'), '<hr>');
 								    assert.equal(xss('<xss>'), '&lt;xss&gt;');
 								    assert.equal(xss('<xss o="x">'), '&lt;xss o="x"&gt;');
 								    assert.equal(xss('<a><b>c</b></a>'), '<a><b>c</b></a>');
 								    assert.equal(xss('<a><c>b</c></a>'), '<a>&lt;c&gt;b&lt;/c&gt;</a>');
 								    // 过滤不是标签的<>
 								    assert.equal(xss('<>>'), '&lt;&gt;&gt;');
-												修正单元测试代码 <script>  -->  <scri + pt> 保证在浏览器上测试通过

											
										
										
											2015-05-06 11:36:56 +08:00
+								    assert.equal(xss('<scri' + 'pt>'), '&lt;script&gt;');
-												基本代码及测试

											
										
										
											2012-09-18 23:23:16 +08:00
+								    assert.equal(xss('<<a>b>'), '&lt;<a>b&gt;');
 								    assert.equal(xss('<<<a>>b</a><x>'), '&lt;&lt;<a>&gt;b</a>&lt;x&gt;');
-												修正无法正确识别 <br/>标签问题

											
										
										
											2013-11-05 15:40:17 +08:00
+								    // 过滤不在白名单中的属性
-												默认href和src属性只运行 https, http, / 开头的地址

											
										
										
											2014-02-18 14:27:27 +08:00
+								    assert.equal(xss('<a oo="1" xx="2" title="3">yy</a>'), '<a title="3">yy</a>');
 								    assert.equal(xss('<a title xx oo>pp</a>'), '<a title>pp</a>');
 								    assert.equal(xss('<a title "">pp</a>'), '<a title>pp</a>');
-												基本代码及测试

											
										
										
											2012-09-18 23:23:16 +08:00
+								    assert.equal(xss('<a t="">'), '<a>');
 								    // 属性内的特殊字符
-												默认href和src属性只运行 https, http, / 开头的地址

											
										
										
											2014-02-18 14:27:27 +08:00
+								    assert.equal(xss('<a title="\'<<>>">'), '<a title="\'&lt;&lt;&gt;&gt;">');
-												Fixed issue #40 start quote only when the previous char is `=`

											
										
										
											2015-08-18 18:33:56 +08:00
+								    assert.equal(xss('<a title=""">'), '<a title>');
-												默认href和src属性只运行 https, http, / 开头的地址

											
										
										
											2014-02-18 14:27:27 +08:00
+								    assert.equal(xss('<a h=title="oo">'), '<a>');
-												Fixed issue #37 support unstrict HTML format: allow spaces between attribute name and attribute value

											
										
										
											2015-08-02 21:20:36 +08:00
+								    assert.equal(xss('<a h= title="oo">'), '<a>');
-												默认href和src属性只运行 https, http, / 开头的地址

											
										
										
											2014-02-18 14:27:27 +08:00
+								    assert.equal(xss('<a title="javascript&colonalert(/xss/)">'), '<a title="javascript:alert(/xss/)">');
-												Fixed issue #40 start quote only when the previous char is `=`

											
										
										
											2015-08-18 18:33:56 +08:00
+								    assert.equal(xss('<a title"hell aa="fdfd title="ok">hello</a>'), '<a>hello</a>');
-												过滤属性值内的双引号，属性值统一用双引号括起来

											
										
										
											2012-09-19 08:20:38 +08:00
 								    // 自动将属性值的单引号转为双引号
-												默认href和src属性只运行 https, http, / 开头的地址

											
										
										
											2014-02-18 14:27:27 +08:00
+								    assert.equal(xss('<a title=\'abcd\'>'), '<a title="abcd">');
-												fixed issue #25, "&quote;" should be "&quot;"

											
										
										
											2014-12-06 16:25:35 +08:00
+								    assert.equal(xss('<a title=\'"\'>'), '<a title="&quot;">');
-												过滤属性值内的双引号，属性值统一用双引号括起来

											
										
										
											2012-09-19 08:20:38 +08:00
-												部分XSS攻击测试

											
										
										
											2012-09-19 09:04:23 +08:00
+								    // 没有双引号括起来的属性值
-												默认href和src属性只运行 https, http, / 开头的地址

											
										
										
											2014-02-18 14:27:27 +08:00
+								    assert.equal(xss('<a title=home>'), '<a title="home">');
-												fixed issue #25, "&quote;" should be "&quot;"

											
										
										
											2014-12-06 16:25:35 +08:00
+								    assert.equal(xss('<a title=abc("d")>'), '<a title="abc(&quot;d&quot;)">');
-												默认href和src属性只运行 https, http, / 开头的地址

											
										
										
											2014-02-18 14:27:27 +08:00
+								    assert.equal(xss('<a title=abc(\'d\')>'), '<a title="abc(\'d\')">');
-												部分XSS攻击测试

											
										
										
											2012-09-19 09:04:23 +08:00
-												onIgnoreAttr() 提供更多参数信息

											
										
										
											2012-09-20 20:30:32 +08:00
+								    // 单个闭合标签
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<img src/>'), '<img src />');
 								    assert.equal(xss('<img src />'), '<img src />');
 								    assert.equal(xss('<img src//>'), '<img src />');
-												修正无法正确识别 <br/>标签问题

											
										
										
											2013-11-05 15:40:17 +08:00
+								    assert.equal(xss('<br/>'), '<br />');
 								    assert.equal(xss('<br />'), '<br />');
-												onIgnoreAttr() 提供更多参数信息

											
										
										
											2012-09-20 20:30:32 +08:00
-												Fixed issue #37 support unstrict HTML format: allow spaces between attribute name and attribute value

											
										
										
											2015-08-02 21:20:36 +08:00
+								    // 畸形属性格式
 								    assert.equal(xss('<a target = "_blank" title ="bbb">'), '<a target="_blank" title="bbb">');
 								    assert.equal(xss('<a target = "_blank" title =  title =  "bbb">'), '<a target="_blank" title="title">');
 								    assert.equal(xss('<img width = 100    height     =200 title="xxx">'),
 								                     '<img width="100" height="200" title="xxx">');
 								    assert.equal(xss('<img width = 100    height     =200 title=xxx>'),
 								                     '<img width="100" height="200" title="xxx">');
 								    assert.equal(xss('<img width = 100    height     =200 title= xxx>'),
 								                     '<img width="100" height="200" title="xxx">');
 								    assert.equal(xss('<img width = 100    height     =200 title= "xxx">'),
 								                     '<img width="100" height="200" title="xxx">');
 								    assert.equal(xss('<img width = 100    height     =200 title= \'xxx\'>'),
 								                     '<img width="100" height="200" title="xxx">');
 								    assert.equal(xss('<img width = 100    height     =200 title = \'xxx\'>'),
 								                     '<img width="100" height="200" title="xxx">');
 								    assert.equal(xss('<img width = 100    height     =200 title= "xxx" no=yes alt="yyy">'),
 								                     '<img width="100" height="200" title="xxx" alt="yyy">');
 								    assert.equal(xss('<img width = 100    height     =200 title= "xxx" no=yes alt="\'yyy\'">'),
 								                     '<img width="100" height="200" title="xxx" alt="\'yyy\'">');
-												基本代码及测试

											
										
										
											2012-09-18 23:23:16 +08:00
+								  });
-												白名单测试

											
										
										
											2014-02-13 15:01:39 +08:00
-												可自定义如何处理不在白名单中的标签

											
										
										
											2012-09-19 19:56:20 +08:00
+								  // 自定义白名单
-												基本代码及测试

											
										
										
											2012-09-18 23:23:16 +08:00
+								  it('#white list', function () {
 								    // 过滤所有标签
-												默认href和src属性只运行 https, http, / 开头的地址

											
										
										
											2014-02-18 14:27:27 +08:00
+								    assert.equal(xss('<a title="xx">bb</a>', {whiteList: {}}), '&lt;a title="xx"&gt;bb&lt;/a&gt;');
-												可自定义如何处理不在白名单中的标签

											
										
										
											2012-09-19 19:56:20 +08:00
+								    assert.equal(xss('<hr>', {whiteList: {}}), '&lt;hr&gt;');
-												基本代码及测试

											
										
										
											2012-09-18 23:23:16 +08:00
+								    // 增加白名单标签及属性
-												可自定义如何处理不在白名单中的标签

											
										
										
											2012-09-19 19:56:20 +08:00
+								    assert.equal(xss('<ooxx yy="ok" cc="no">uu</ooxx>', {whiteList: {ooxx: ['yy']}}), '<ooxx yy="ok">uu</ooxx>');
-												基本代码及测试

											
										
										
											2012-09-18 23:23:16 +08:00
 								  });
-												可自定义如何处理不在白名单中的标签

											
										
										
											2012-09-19 19:56:20 +08:00
-												部分XSS攻击测试

											
										
										
											2012-09-19 09:04:23 +08:00
+								  // XSS攻击测试：https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
 								  it('#XSS_Filter_Evasion_Cheat_Sheet', function () {
-												修正单元测试代码 <script>  -->  <scri + pt> 保证在浏览器上测试通过

											
										
										
											2015-05-06 11:36:56 +08:00
+								    assert.equal(xss('></SCRI' + 'PT>">\'><SCRI' + 'PT>alert(String.fromCharCode(88,83,83))</SCRI' + 'PT>'),
-												部分XSS攻击测试

											
										
										
											2012-09-19 09:04:23 +08:00
+								        '&gt;&lt;/SCRIPT&gt;"&gt;\'&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;');
 								    assert.equal(xss(';!--"<XSS>=&{()}'), ';!--"&lt;XSS&gt;=&{()}');
-												修正单元测试代码 <script>  -->  <scri + pt> 保证在浏览器上测试通过

											
										
										
											2015-05-06 11:36:56 +08:00
+								    assert.equal(xss('<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRI' + 'PT>'),
-												部分XSS攻击测试

											
										
										
											2012-09-19 09:04:23 +08:00
+								        '&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;');
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\');">'), '<img src>');
-												部分XSS攻击测试

											
										
										
											2012-09-19 09:04:23 +08:00
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<IMG SRC=javascript:alert(\'XSS\')>'), '<img src>');
-												部分XSS攻击测试

											
										
										
											2012-09-19 09:04:23 +08:00
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>'), '<img src>');
-												自动转换属性值中&#106;这样的字符

											
										
										
											2012-09-19 10:12:10 +08:00
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>'), '<img src>');
-												自动转换属性值中&#106;这样的字符

											
										
										
											2012-09-19 10:12:10 +08:00
-												Fixed issue #40 start quote only when the previous char is `=`

											
										
										
											2015-08-18 18:33:56 +08:00
+								    assert.equal(xss('<IMG """><SCRI' + 'PT>alert("XSS")</SCRI' + 'PT>">'), '<img>&lt;SCRIPT&gt;alert("XSS")&lt;/SCRIPT&gt;"&gt;');
-												自动转换属性值中&#106;这样的字符

											
										
										
											2012-09-19 10:12:10 +08:00
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>'), '<img src>');
-												自动转换属性值中&#106;这样的字符

											
										
										
											2012-09-19 10:12:10 +08:00
 								    assert.equal(xss('<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>'),
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								        '<img src>');
-												自动转换属性值中&#106;这样的字符

											
										
										
											2012-09-19 10:12:10 +08:00
-												修正测试代码对&#0000106这种属性值的转义测试

											
										
										
											2013-12-24 12:10:18 +08:00
+								    assert.equal(xss('<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>'),
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								        '<img src>');
-												屏蔽URL中的 ja vasc ript这样的网址

											
										
										
											2012-09-19 10:27:24 +08:00
 								    assert.equal(xss('<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>'),
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								        '<img src>');
-												屏蔽URL中的 ja vasc ript这样的网址

											
										
										
											2012-09-19 10:27:24 +08:00
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<IMG SRC="jav ascript:alert(\'XSS\');">'), '<img src>');
-												屏蔽URL中的 ja vasc ript这样的网址

											
										
										
											2012-09-19 10:27:24 +08:00
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">'), '<img src>');
-												更新测试代码

											
										
										
											2012-09-19 10:44:26 +08:00
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<IMG SRC="jav\nascript:alert(\'XSS\');">'), '<img src>');
-												更新测试代码

											
										
										
											2012-09-19 10:44:26 +08:00
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<IMG SRC=java\0script:alert(\"XSS\")>'), '<img src>');
-												更新测试代码

											
										
										
											2012-09-19 10:44:26 +08:00
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<IMG SRC=" &#14;  javascript:alert(\'XSS\');">'), '<img src>');
-												更新测试代码

											
										
										
											2012-09-19 10:44:26 +08:00
-												修正单元测试代码 <script>  -->  <scri + pt> 保证在浏览器上测试通过

											
										
										
											2015-05-06 11:36:56 +08:00
+								    assert.equal(xss('<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRI' + 'PT>'),
-												更新测试代码

											
										
										
											2012-09-19 10:44:26 +08:00
+								        '&lt;SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/SCRIPT&gt;');
 								    assert.equal(xss('<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>'),
 								        '&lt;BODY onload!#$%&()*~+-_.,:;?@[/|]^`=alert(\"XSS\")&gt;');
-												修正单元测试代码 <script>  -->  <scri + pt> 保证在浏览器上测试通过

											
										
										
											2015-05-06 11:36:56 +08:00
+								    assert.equal(xss('<<SCRI' + 'PT>alert("XSS");//<</SCRI' + 'PT>'),
-												更新测试代码

											
										
										
											2012-09-19 10:44:26 +08:00
+								        '&lt;&lt;SCRIPT&gt;alert(\"XSS\");//&lt;&lt;/SCRIPT&gt;');
 								    assert.equal(xss('<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >'),
 								        '&lt;SCRIPT SRC=http://ha.ckers.org/xss.js?&lt; B &gt;');
 								    assert.equal(xss('<SCRIPT SRC=//ha.ckers.org/.j'),
 								        '&lt;SCRIPT SRC=//ha.ckers.org/.j');
-												test: 增加测试用例

											
										
										
											2017-07-12 19:32:43 +08:00
+								    assert.equal(xss('<ſcript src="https://xss.haozi.me/j.js"></ſcript>'),
 								        '&lt;ſcript src="https://xss.haozi.me/j.js"&gt;&lt;/ſcript&gt;');
-												添加测试代码，基本能正常使用

											
										
										
											2012-09-19 11:10:16 +08:00
+								    assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\')"'),
 								        '&lt;IMG SRC=\"javascript:alert(\'XSS\')"');
 								    assert.equal(xss('<iframe src=http://ha.ckers.org/scriptlet.html <'),
 								        '&lt;iframe src=http://ha.ckers.org/scriptlet.html &lt;');
-												修正对style属性的过滤

											
										
										
											2014-02-20 10:44:08 +08:00
+								    // 过滤 javascript:
-												默认禁止标签的 style和class 属性

											
										
										
											2013-05-27 10:54:02 +08:00
+								    assert.equal(xss('<a style="url(\'javascript:alert(1)\')">', {whiteList: {a: ['style']}}), '<a style>');
-												增加 td.backgorund 过滤

											
										
										
											2014-02-20 10:27:16 +08:00
+								    assert.equal(xss('<td background="url(\'javascript:alert(1)\')">', {whiteList: {td: ['background']}}), '<td background>');
-												添加测试代码，基本能正常使用

											
										
										
											2012-09-19 11:10:16 +08:00
-												修正对style属性的过滤

											
										
										
											2014-02-20 10:44:08 +08:00
+								    // 过滤 style
 								    assert.equal(xss('<DIV STYLE="width: \nexpression(alert(1));">', {whiteList: {div: ['style']}}), '<div style>');
 								    // 不正常的url
 								    assert.equal(xss('<DIV STYLE="background:\n url (javascript:ooxx);">', {whiteList: {div: ['style']}}), '<div style>');
 								    assert.equal(xss('<DIV STYLE="background:url (javascript:ooxx);">', {whiteList: {div: ['style']}}), '<div style>');
 								    // 正常的url
-												v0.2.0 使用cssfilter模块来过滤style属性

											
										
										
											2015-05-05 22:50:56 +08:00
+								    assert.equal(xss('<DIV STYLE="background: url (ooxx);">', {whiteList: {div: ['style']}}), '<div style="background:url (ooxx);">');
-												修正对style属性的过滤

											
										
										
											2014-02-20 10:44:08 +08:00
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<IMG SRC=\'vbscript:msgbox("XSS")\'>'), '<img src>');
-												添加测试代码，基本能正常使用

											
										
										
											2012-09-19 11:10:16 +08:00
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<IMG SRC="livescript:[code]">'), '<img src>');
-												添加测试代码，基本能正常使用

											
										
										
											2012-09-19 11:10:16 +08:00
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<IMG SRC="mocha:[code]">'), '<img src>');
-												添加测试代码，基本能正常使用

											
										
										
											2012-09-19 11:10:16 +08:00
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<a href="javas/**/cript:alert(\'XSS\');">'), '<a href>');
-												添加测试代码，基本能正常使用

											
										
										
											2012-09-19 11:10:16 +08:00
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<a href="javascript">'), '<a href>');
-												完善测试代码

											
										
										
											2013-12-24 13:13:28 +08:00
+								    assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
-												默认href和src属性只运行 https, http, / 开头的地址

											
										
										
											2014-02-18 14:27:27 +08:00
+								    assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
 								    assert.equal(xss('<a href="http://aa.com">'), '<a href="http://aa.com">');
 								    assert.equal(xss('<a href="https://aa.com">'), '<a href="https://aa.com">');
-												href support "mailto:", fixed issue #24

											
										
										
											2014-11-28 15:23:14 +08:00
+								    assert.equal(xss('<a href="mailto:me@ucdok.com">'), '<a href="mailto:me@ucdok.com">');
-												修正 issue #41 href默认允许#开头

											
										
										
											2015-12-01 21:53:59 +08:00
+								    assert.equal(xss('<a href="#hello">'), '<a href="#hello">');
-												href support "mailto:", fixed issue #24

											
										
										
											2014-11-28 15:23:14 +08:00
+								    assert.equal(xss('<a href="other">'), '<a href>');
-												完善测试代码

											
										
										
											2013-12-24 13:13:28 +08:00
-												添加测试代码，基本能正常使用

											
										
										
											2012-09-19 11:10:16 +08:00
+								    // 这个暂时不知道怎么处理
 								    //assert.equal(xss('¼script¾alert(¢XSS¢)¼/script¾'), '');
-												修正单元测试代码 <script>  -->  <scri + pt> 保证在浏览器上测试通过

											
										
										
											2015-05-06 11:36:56 +08:00
+								    assert.equal(xss('<!--[if gte IE 4]><SCRI' + 'PT>alert(\'XSS\');</SCRI' + 'PT><![endif]--> END', {allowCommentTag: true}),
-												增加新的选项 allowCommentTag 来设置是否允许HTML备注标签，默认false

											
										
										
											2014-04-03 11:47:21 +08:00
+								        '&lt;!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert(\'XSS\');&lt;/SCRIPT&gt;&lt;![endif]--&gt; END');
-												修正单元测试代码 <script>  -->  <scri + pt> 保证在浏览器上测试通过

											
										
										
											2015-05-06 11:36:56 +08:00
+								    assert.equal(xss('<!--[if gte IE 4]><SCRI' + 'PT>alert(\'XSS\');</SCRI' + 'PT><![endif]--> END'), ' END');
-												添加测试代码，基本能正常使用

											
										
										
											2012-09-19 11:10:16 +08:00
-												属性值过滤： HTML5新增实体编码 冒号&colon; 换行&NewLine;

											
										
										
											2013-12-24 12:23:47 +08:00
+								    // HTML5新增实体编码 冒号&colon; 换行&NewLine;
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<a href="javascript&colon;alert(/xss/)">'), '<a href>');
 								    assert.equal(xss('<a href="javascript&colonalert(/xss/)">'), '<a href>');
 								    assert.equal(xss('<a href="a&NewLine;b">'), '<a href>');
 								    assert.equal(xss('<a href="a&NewLineb">'), '<a href>');
 								    assert.equal(xss('<a href="javasc&NewLine;ript&colon;alert(1)">'), '<a href>');
-												过滤 data URI 协议

											
										
										
											2013-12-24 13:38:57 +08:00
-												默认href和src属性只运行 https, http, / 开头的地址

											
										
										
											2014-02-18 14:27:27 +08:00
+								    // data URI 协议过滤
-												href和src属性，如果被过滤则返回空值

											
										
										
											2014-02-18 14:35:50 +08:00
+								    assert.equal(xss('<a href="data:">'), '<a href>');
 								    assert.equal(xss('<a href="d a t a : ">'), '<a href>');
 								    assert.equal(xss('<a href="data: html/text;">'), '<a href>');
 								    assert.equal(xss('<a href="data:html/text;">'), '<a href>');
 								    assert.equal(xss('<a href="data:html /text;">'), '<a href>');
 								    assert.equal(xss('<a href="data: image/text;">'), '<a href>');
 								    assert.equal(xss('<img src="data: aaa/text;">'), '<img src>');
 								    assert.equal(xss('<img src="data:image/png; base64; ofdkofiodiofl">'), '<img src>');
-												过滤 data URI 协议

											
										
										
											2013-12-24 13:38:57 +08:00
-												添加HTML备注处理测试代码

											
										
										
											2014-09-12 12:23:36 +08:00
+								    // HTML备注处理
 								    assert.equal(xss('<!--                               -->', {allowCommentTag: false}), '');
 								    assert.equal(xss('<!--      a           -->', {allowCommentTag: false}), '');
 								    assert.equal(xss('<!--sa       -->ss', {allowCommentTag: false}), 'ss');
 								    assert.equal(xss('<!--                               ', {allowCommentTag: false}), '&lt;!--                               ');
-												部分XSS攻击测试

											
										
										
											2012-09-19 09:04:23 +08:00
+								  });
-												fix: issue #66 no options mutated

											
										
										
											2016-12-20 09:13:35 +08:00
+								  it('no options mutated', function () {
 								      var options = {};
 								      var ret = xss('test', options);
 								      console.log(options);
 								      assert.deepEqual(options, {});
 								      var ret2 = new _xss.FilterXSS(options);
 								      console.log(options);
 								      assert.deepEqual(options, {});
 								  });
-												基本代码及测试

											
										
										
											2012-09-18 23:23:16 +08:00
+								});