v0.2.4

bower.json

@@ -1,6 +1,6 @@
 {
   "name": "xss",
-  "version": "0.1.17",
+  "version": "0.2.4",
   "homepage": "https://github.com/leizongmin/js-xss",
   "authors": [
     "Zongmin Lei <leizongmin@gmail.com>"

dist/xss.js

@@ -495,7 +495,7 @@ function isClosing (html) {
  * @param {String} html
  * @param {Function} onTag 处理标签的函数
  *   参数格式： function (sourcePosition, position, tag, html, isClosing)
- * @param {Function} escapeHtml 对HTML进行转义的韩松
+ * @param {Function} escapeHtml 对HTML进行转义的函数
  * @return {String}
  */
 function parseTag (html, onTag, escapeHtml) {
@@ -581,12 +581,14 @@ function parseAttr (html, onAttr) {
     name = _.trim(name);
     name = name.replace(REGEXP_ATTR_NAME, '').toLowerCase();
     if (name.length < 1) return;
-    retAttrs.push(onAttr(name, value || ''));
+    var ret = onAttr(name, value || '');
+    if (ret) retAttrs.push(ret);
   };
 
   // 逐个分析字符
   for (var i = 0; i < len; i++) {
-    var c = html.charAt(i),v;
+    var c = html.charAt(i);
+    var v, j;
     if (tmpName === false && c === '=') {
       tmpName = html.slice(lastPos, i);
       lastPos = i + 1;
@@ -594,7 +596,7 @@ function parseAttr (html, onAttr) {
     }
     if (tmpName !== false) {
       if (i === lastPos && (c === '"' || c === "'")) {
-        var j = html.indexOf(c, i + 1);
+        j = html.indexOf(c, i + 1);
         if (j === -1) {
           break;
         } else {
@@ -608,15 +610,31 @@ function parseAttr (html, onAttr) {
       }
     }
     if (c === ' ') {
-      v = _.trim(html.slice(lastPos, i));
       if (tmpName === false) {
-        addAttr(v);
+        j = findNextEqual(html, i);
+        if (j === -1) {
+          v = _.trim(html.slice(lastPos, i));
+          addAttr(v);
+          tmpName = false;
+          lastPos = i + 1;
+          continue;
+        } else {
+          i = j - 1;
+          continue;
+        }
       } else {
-        addAttr(tmpName, v);
+        j = findBeforeEqual(html, i - 1);
+        if (j === -1) {
+          v = _.trim(html.slice(lastPos, i));
+          v = stripQuoteWrap(v);
+          addAttr(tmpName, v);
+          tmpName = false;
+          lastPos = i + 1;
+          continue;
+        } else {
+          continue;
+        }
       }
-      tmpName = false;
-      lastPos = i + 1;
-      continue;
     }
   }
 
@@ -624,16 +642,57 @@ function parseAttr (html, onAttr) {
     if (tmpName === false) {
       addAttr(html.slice(lastPos));
     } else {
-      addAttr(tmpName, html.slice(lastPos));
+      addAttr(tmpName, stripQuoteWrap(_.trim(html.slice(lastPos))));
     }
   }
 
   return _.trim(retAttrs.join(' '));
 }
 
+function findNextEqual (str, i) {
+  for (; i < str.length; i++) {
+    var c = str[i];
+    if (c === ' ') continue;
+    if (c === '=') return i;
+    return -1;
+  }
+}
+
+function findBeforeEqual (str, i) {
+  for (; i > 0; i--) {
+    var c = str[i];
+    if (c === ' ') continue;
+    if (c === '=') return i;
+    return -1;
+  }
+}
+
+function isQuoteWrapString (text) {
+  if ((text[0] === '"' && text[text.length - 1] === '"') ||
+      (text[0] === '\'' && text[text.length - 1] === '\'')) {
+    return true;
+  } else {
+    return false;
+  }
+};
+
+function stripQuoteWrap (text) {
+  if (isQuoteWrapString(text)) {
+    return text.substr(1, text.length - 2);
+  } else {
+    return text;
+  }
+};
+
+
 exports.parseTag = parseTag;
 exports.parseAttr = parseAttr;
 
+
+console.log(parseAttr(' src = "#" alt ="bbb"', function (n, v) {
+  console.log('%s=%s', n, v);
+  return n + '=' + v;
+}));
 },{"./util":4}],4:[function(require,module,exports){
 module.exports = {
   indexOf: function (arr, item) {

package.json

@@ -1,7 +1,7 @@
 {
   "name": "xss",
   "main": "./lib/index.js",
-  "version": "0.2.3",
+  "version": "0.2.4",
   "description": "Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist. 根据白名单过滤HTML(防止XSS攻击)",
   "author": "leizongmin <leizongmin@gmail.com> (http://ucdok.com)",
   "contributors": [