leizongmin/js-xss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "fix: comment has encoded (#257)"

Browse Source 
This reverts commit 9f6a37b34d.
This commit is contained in:
LEI Zongmin
2022-06-06 23:59:59 +08:00
parent 76d87aa002
commit 352ae5331f
3 changed files with 2 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/default.js
View File

@@ -159,15 +159,6 @@ function escapeHtml(html) {
return html.replace(REGEXP_LT, "<").replace(REGEXP_GT, ">");
}
/**
* default escapeHtml function but dont escape comment
*
* @param {String} html
*/
function escapeHtmlNotComment(html) {
return html.replace(REGEXP_LT_NOT_COMMENT, "<").replace(REGEXP_RT_NOT_COMMENT, ">");
}
/**
* default safeAttrValue function
*
@@ -237,8 +228,6 @@ function safeAttrValue(tag, name, value, cssFilter) {
// RegExp list
var REGEXP_LT = /</g;
var REGEXP_GT = />/g;
var REGEXP_LT_NOT_COMMENT = /<(?!!--)/g;
var REGEXP_RT_NOT_COMMENT = /(?<!--)>/g;
var REGEXP_QUOTE = /"/g;
var REGEXP_QUOTE_2 = /&quot;/g;
var REGEXP_ATTR_VALUE_1 = /&#([a-zA-Z0-9]*);?/gim;
@@ -455,7 +444,6 @@ exports.onTagAttr = onTagAttr;
exports.onIgnoreTagAttr = onIgnoreTagAttr;
exports.safeAttrValue = safeAttrValue;
exports.escapeHtml = escapeHtml;
exports.escapeHtmlNotComment = escapeHtmlNotComment;
exports.escapeQuote = escapeQuote;
exports.unescapeQuote = unescapeQuote;
exports.escapeHtmlEntities = escapeHtmlEntities;

2
lib/xss.js
View File

@@ -105,7 +105,7 @@ function FilterXSS(options) {
options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag;
options.onIgnoreTagAttr = options.onIgnoreTagAttr || DEFAULT.onIgnoreTagAttr;
options.safeAttrValue = options.safeAttrValue || DEFAULT.safeAttrValue;
options.escapeHtml = options.escapeHtml || (options.allowCommentTag ? DEFAULT.escapeHtmlNotComment : DEFAULT.escapeHtml);
options.escapeHtml = options.escapeHtml || DEFAULT.escapeHtml;
this.options = options;
if (options.css === false) {

2
test/test_xss.js
View File

@@ -371,7 +371,7 @@ describe("test XSS", function() {
"PT><![endif]--> END",
{ allowCommentTag: true }
),
"<!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;&lt;![endif]--> END"
"&lt;!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;&lt;![endif]--&gt; END"
);
assert.equal(
xss(