默认禁止标签的 style和class 属性

2013-05-27 10:54:02 +08:00
parent 021c664f14
commit 2c054677c9
2 changed files with 34 additions and 35 deletions
--- a/lib/index.js
+++ b/lib/index.js
@@ -9,40 +9,40 @@
 * 标签名=>属性列表
 */
 var defaultWhiteList = {
-  h1:     ['style', 'class'],
-  h2:     ['style', 'class'],
-  h3:     ['style', 'class'],
-  h4:     ['style', 'class'],
-  h5:     ['style', 'class'],
-  h6:     ['style', 'class'],
-  hr:     ['style', 'class'],
-  span:   ['style', 'class'],
-  strong: ['style', 'class'],
-  b:      ['style', 'class'],
-  i:      ['style', 'class'],
+  h1:     [],
+  h2:     [],
+  h3:     [],
+  h4:     [],
+  h5:     [],
+  h6:     [],
+  hr:     [],
+  span:   [],
+  strong: [],
+  b:      [],
+  i:      [],
  br:     [],
-  p:      ['style', 'class'],
-  pre:    ['style', 'class'],
-  code:   ['style', 'class'],
-  a:      ['style', 'class', 'target', 'href', 'title'],
-  img:    ['style', 'class', 'src', 'alt', 'title'],
-  div:    ['style', 'class'],
-  table:  ['style', 'class', 'width', 'border'],
-  tr:     ['style', 'class'],
-  td:     ['style', 'class', 'width', 'colspan'],
-  th:     ['style', 'class', 'width', 'colspan'],
-  tbody:  ['style', 'class'],
-  ul:     ['style', 'class'],
-  li:     ['style', 'class'],
-  ol:     ['style', 'class'],
-  dl:     ['style', 'class'],
-  dt:     ['style', 'class'],
-  em:     ['style'],
-  cite:   ['style'],
-  section:['style', 'class'],
-  header: ['style', 'class'],
-  footer: ['style', 'class'],
-  blockquote: ['style', 'class'],
+  p:      [],
+  pre:    [],
+  code:   [],
+  a:      ['target', 'href', 'title'],
+  img:    ['src', 'alt', 'title'],
+  div:    [],
+  table:  ['width', 'border'],
+  tr:     [],
+  td:     ['width', 'colspan'],
+  th:     ['width', 'colspan'],
+  tbody:  [],
+  ul:     [],
+  li:     [],
+  ol:     [],
+  dl:     [],
+  dt:     [],
+  em:     [],
+  cite:   [],
+  section:[],
+  header: [],
+  footer: [],
+  blockquote: [],
  audio:  ['autoplay', 'controls', 'loop', 'preload', 'src'],
  video:  ['autoplay', 'controls', 'loop', 'preload', 'src', 'height', 'width'],
 };
--- a/test/test_xss.js
+++ b/test/test_xss.js
@@ -45,7 +45,6 @@ describe('test XSS', function () {

    // 没有双引号括起来的属性值
    assert.equal(xss('<a href=home>'), '<a href="home">');
-    assert.equal(xss('<a href=home class="b">'), '<a href="home" class="b">');
    assert.equal(xss('<a href=abc("d")>'), '<a href="abc(&quote;d&quote;)">');
    assert.equal(xss('<a href=abc(\'d\')>'), '<a href="abc(\'d\')">');

@@ -192,7 +191,7 @@ describe('test XSS', function () {
    assert.equal(xss('<iframe src=http://ha.ckers.org/scriptlet.html <'),
        '&lt;iframe src=http://ha.ckers.org/scriptlet.html &lt;');

-    assert.equal(xss('<a style="url(\'javascript:alert(1)\')">'), '<a style>');
+    assert.equal(xss('<a style="url(\'javascript:alert(1)\')">', {whiteList: {a: ['style']}}), '<a style>');

    assert.equal(xss('<IMG SRC=\'vbscript:msgbox("XSS")\'>'), '<img src="#">');