test: stripIgnoreTag
This commit is contained in:
Zongmin Lei
@@ -255,6 +255,13 @@ function escapeAttrValue (str) {
|
||||
return str;
|
||||
}
|
||||
|
||||
/**
|
||||
* 去掉不在白名单中的标签onIgnoreTag处理方法
|
||||
*/
|
||||
function onIgnoreTagStripAll () {
|
||||
return '';
|
||||
}
|
||||
|
||||
|
||||
exports.whiteList = whiteList;
|
||||
exports.onTag = onTag;
|
||||
@@ -270,3 +277,4 @@ exports.escapeDangerHtml5Entities = escapeDangerHtml5Entities;
|
||||
exports.clearNonPrintableCharacter = clearNonPrintableCharacter;
|
||||
exports.friendlyAttrValue = friendlyAttrValue;
|
||||
exports.escapeAttrValue = escapeAttrValue;
|
||||
exports.onIgnoreTagStripAll = onIgnoreTagStripAll;
|
||||
|
||||
@@ -52,6 +52,14 @@ function getAttrs (html) {
|
||||
*/
|
||||
function FilterXSS (options) {
|
||||
options = options || {};
|
||||
|
||||
if (options.stripIgnoreTag) {
|
||||
if (options.onIgnoreTag) {
|
||||
console.error('Notes: cannot use these two options "stripIgnoreTag" and "onIgnoreTag" at the same time');
|
||||
}
|
||||
options.onIgnoreTag = DEFAULT.onIgnoreTagStripAll;
|
||||
}
|
||||
|
||||
options.whiteList = options.whiteList || DEFAULT.whiteList;
|
||||
options.onTag = options.onTag || DEFAULT.onTag;
|
||||
options.onTagAttr = options.onTagAttr || DEFAULT.onTagAttr;
|
||||
|
||||
@@ -252,67 +252,13 @@ describe('test custom XSS method', function () {
|
||||
assert.equal(html, '<a href="$href$" title="$title$">link</a>');
|
||||
});
|
||||
|
||||
/*
|
||||
// 自定义过滤属性函数
|
||||
it('#process attribute value', function () {
|
||||
|
||||
assert.equal(xss('<a href="ignore:ooxx">abc</a><a href="ooxx">', {
|
||||
onTagAttr: function (tag, attr, value) {
|
||||
if (tag === 'a' && attr === 'href') {
|
||||
if (value.substr(0, 7) === 'ignore:') {
|
||||
return '#';
|
||||
}
|
||||
}
|
||||
}
|
||||
}), '<a href="#">abc</a><a href="ooxx">');
|
||||
|
||||
it('#stripIgnoreTag', function () {
|
||||
var source = '<x>yy</x><a>bb</a>';
|
||||
var html = xss(source, {
|
||||
stripIgnoreTag: true
|
||||
});
|
||||
console.log(html);
|
||||
assert.equal(html, 'yy<a>bb</a>');
|
||||
});
|
||||
|
||||
// 自定义处理不在白名单中的标签
|
||||
it('#process ignore tag', function () {
|
||||
|
||||
// 过滤标签
|
||||
assert.equal(xss('<ooxx xxyy>ookk</ooxx><img>', {
|
||||
onIgnoreTag: function (tag, html) {
|
||||
return '';
|
||||
}
|
||||
}), 'ookk<img>');
|
||||
assert.equal(xss('<ooxx xxyy>ookk</ooxx><img>', {
|
||||
onIgnoreTag: function (tag, html) {
|
||||
return '[removed]';
|
||||
}
|
||||
}), '[removed]ookk[removed]<img>');
|
||||
|
||||
// 检验附加属性
|
||||
var isClosing = [];
|
||||
var position = [];
|
||||
var originPosition = [];
|
||||
var html = xss('TTG:<ooxx href="ooy" >ds</ooxx>--ds d<yy hh uu>', {
|
||||
onIgnoreTag: function (tag, html, options) {
|
||||
isClosing.push(options.isClosing);
|
||||
position.push(options.position);
|
||||
originPosition.push(options.originPosition);
|
||||
}
|
||||
});
|
||||
//console.log(html);
|
||||
assert.deepEqual(isClosing, [false, true, false]);
|
||||
assert.deepEqual(position, [4, 30, 50]);
|
||||
assert.deepEqual(originPosition, [4, 24, 38]);
|
||||
|
||||
// 替换检验 utils.tagFilter()
|
||||
var filter = xss.utils.tagFilter(['script']);
|
||||
var html = xss('<b >script is <script t="d">alert("xss"); ooxx()</script>, wahaha!!</b>', {
|
||||
onIgnoreTag: filter.onIgnoreTag
|
||||
});
|
||||
assert.equal(filter.filter(html), '<b>script is , wahaha!!</b>');
|
||||
|
||||
var filter = xss.utils.tagFilter(['x2']);
|
||||
var html = xss('<x1></b><x2>dds</x2><x3>fd</x3>', {
|
||||
onIgnoreTag: filter.onIgnoreTag
|
||||
});
|
||||
assert.equal(filter.filter(html), '<x1></b><x3>fd</x3>');
|
||||
|
||||
});
|
||||
*/
|
||||
|
||||
});
|
||||
Reference in New Issue
Block a user