修正 issue #41 href默认允许#开头

2015-12-01 21:53:59 +08:00
parent e32c2676dc
commit 4ff066f0f6
2 changed files with 3 additions and 1 deletions
--- a/dist/xss.js
+++ b/dist/xss.js
@@ -151,12 +151,13 @@ function safeAttrValue (tag, name, value, cssFilter) {

  if (name === 'href' || name === 'src') {
    // 过滤 href 和 src 属性
-    // 仅允许 http:// | https:// | mailto: | / 开头的地址
+    // 仅允许 http:// | https:// | mailto: | / | # 开头的地址
    value = _.trim(value);
    if (value === '#') return '#';
    if (!(value.substr(0, 7) === 'http://' ||
         value.substr(0, 8) === 'https://' ||
         value.substr(0, 7) === 'mailto:' ||
+         value[0] === '#' ||
         value[0] === '/')) {
      return '';
    }
--- a/test/test_xss.js
+++ b/test/test_xss.js
@@ -199,6 +199,7 @@ describe('test XSS', function () {
    assert.equal(xss('<a href="http://aa.com">'), '<a href="http://aa.com">');
    assert.equal(xss('<a href="https://aa.com">'), '<a href="https://aa.com">');
    assert.equal(xss('<a href="mailto:me@ucdok.com">'), '<a href="mailto:me@ucdok.com">');
+    assert.equal(xss('<a href="#hello">'), '<a href="#hello">');
    assert.equal(xss('<a href="other">'), '<a href>');

    // 这个暂时不知道怎么处理