Merge pull request #201 from TomAnthony/fix-bypass-issue

Update handling of quoteStart to prevent sanitization bypass

lib/parser.js

@@ -55,7 +55,7 @@ function parseTag(html, onTag, escapeHtml) {
   var currentTagName = "";
   var currentHtml = "";
 
-  for (currentPos = 0; currentPos < len; currentPos++) {
+  chariterator: for (currentPos = 0; currentPos < len; currentPos++) {
     var c = html.charAt(currentPos);
     if (tagStart === false) {
       if (c === "<") {
@@ -85,9 +85,17 @@ function parseTag(html, onTag, escapeHtml) {
           tagStart = false;
           continue;
         }
-        if ((c === '"' || c === "'") && html.charAt(currentPos - 1) === "=") {
+        if ((c === '"' || c === "'")) {
-          quoteStart = c;
+          var i = 1;
-          continue;
+          var ic = html.charAt(currentPos - i);
+
+          while ((ic === " ") || (ic === "=")) {
+            if (ic === "=") {
+              quoteStart = c;
+              continue chariterator;
+            }
+            ic = html.charAt(currentPos - ++i);
+          }
         }
       } else {
         if (c === quoteStart) {

test/test_custom_method.js

@@ -359,4 +359,19 @@ describe("test custom XSS method", function() {
       '<div style="width:50%; vertical-align:top;">hello</div>'
     );
   });
+
+  it("#onTag - sanitize html parameter", function() {
+    var source = '<a target= " href="><script>alert(2)</script>"><span>';
+    var i = 0;
+    var html = xss(source, {
+      onTag: function(_, E, S) {
+        if (S.isWhite && "a" === _) {
+          if (S.isClosing) return "</span></a>";
+          return "".concat(E, '<span>');
+        }
+      }
+    });
+    debug(html);
+    assert.equal(html, '<a target= " href="><span>&lt;script&gt;alert(2)&lt;/script&gt;"&gt;<span>');
+  });
 });