leizongmin/js-xss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

href和src属性,如果被过滤则返回空值

Browse Source
This commit is contained in:
Zongmin Lei
2014-02-18 14:35:50 +08:00
parent e2272386a1
commit 519f0ed944
3 changed files with 38 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/default.js
View File

@@ -119,15 +119,16 @@ function safeAttrValue (tag, name, value) {
// 过滤 href 和 src 属性 // 过滤 href 和 src 属性
// 仅允许 http:// | https:// | / 开头的地址 // 仅允许 http:// | https:// | / 开头的地址
value = value.trim(); value = value.trim();
if (value === '#') return '#';
if (value && !REGEXP_DEFAULT_ON_TAG_ATTR_1.test(value)) { if (value && !REGEXP_DEFAULT_ON_TAG_ATTR_1.test(value)) {
return '#'; return '';
} }
} else if (name === 'style') { } else if (name === 'style') {
// 过滤 style 属性 这个xss漏洞较老了可能已经不适用 // 过滤 style 属性 这个xss漏洞较老了可能已经不适用
// javascript: // javascript:
REGEXP_DEFAULT_ON_TAG_ATTR_3.lastIndex = 0; REGEXP_DEFAULT_ON_TAG_ATTR_3.lastIndex = 0;
if (REGEXP_DEFAULT_ON_TAG_ATTR_3.test(value)) { if (REGEXP_DEFAULT_ON_TAG_ATTR_3.test(value)) {
return '#'; return '';
} }
// /*注释*/ // /*注释*/
REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0; REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;

2
test/test_custom_method.js
View File

@@ -238,7 +238,7 @@ describe('test custom XSS method', function () {
var source = '<a href="javascript:alert(/xss/)" title="hi">link</a>'; var source = '<a href="javascript:alert(/xss/)" title="hi">link</a>';
var html = xss(source); var html = xss(source);
console.log(html); console.log(html);
assert.equal(html, '<a href="#" title="hi">link</a>'); assert.equal(html, '<a href title="hi">link</a>');
}); });
it('#safeAttrValue - return new value', function () { it('#safeAttrValue - return new value', function () {

68
test/test_xss.js
View File

@@ -52,9 +52,9 @@ describe('test XSS', function () {
assert.equal(xss('<a title=abc(\'d\')>'), '<a title="abc(\'d\')">'); assert.equal(xss('<a title=abc(\'d\')>'), '<a title="abc(\'d\')">');
// 单个闭合标签 // 单个闭合标签
assert.equal(xss('<img src="#"/>'), '<img src="#" />'); assert.equal(xss('<img src/>'), '<img src />');
assert.equal(xss('<img src="#" />'), '<img src="#" />'); assert.equal(xss('<img src />'), '<img src />');
assert.equal(xss('<img src="#"//>'), '<img src="#" />'); assert.equal(xss('<img src//>'), '<img src />');
assert.equal(xss('<br/>'), '<br />'); assert.equal(xss('<br/>'), '<br />');
assert.equal(xss('<br />'), '<br />'); assert.equal(xss('<br />'), '<br />');
@@ -82,36 +82,36 @@ describe('test XSS', function () {
assert.equal(xss('<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'), assert.equal(xss('<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'),
'&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;'); '&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;');
assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\');">'), '<img src="#">'); assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\');">'), '<img src>');
assert.equal(xss('<IMG SRC=javascript:alert(\'XSS\')>'), '<img src="#">'); assert.equal(xss('<IMG SRC=javascript:alert(\'XSS\')>'), '<img src>');
assert.equal(xss('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>'), '<img src="#">'); assert.equal(xss('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>'), '<img src>');
assert.equal(xss('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>'), '<img src="#">'); assert.equal(xss('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>'), '<img src>');
assert.equal(xss('<IMG """><SCRIPT>alert("XSS")</SCRIPT>">'), '<img>'); assert.equal(xss('<IMG """><SCRIPT>alert("XSS")</SCRIPT>">'), '<img>');
assert.equal(xss('<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>'), '<img src="#">'); assert.equal(xss('<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>'), '<img src>');
assert.equal(xss('<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>'), assert.equal(xss('<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>'),
'<img src="#">'); '<img src>');
assert.equal(xss('<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>'), assert.equal(xss('<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>'),
'<img src="#">'); '<img src>');
assert.equal(xss('<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>'), assert.equal(xss('<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>'),
'<img src="#">'); '<img src>');
assert.equal(xss('<IMG SRC="jav ascript:alert(\'XSS\');">'), '<img src="#">'); assert.equal(xss('<IMG SRC="jav ascript:alert(\'XSS\');">'), '<img src>');
assert.equal(xss('<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">'), '<img src="#">'); assert.equal(xss('<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">'), '<img src>');
assert.equal(xss('<IMG SRC="jav\nascript:alert(\'XSS\');">'), '<img src="#">'); assert.equal(xss('<IMG SRC="jav\nascript:alert(\'XSS\');">'), '<img src>');
assert.equal(xss('<IMG SRC=java\0script:alert(\"XSS\")>'), '<img src="#">'); assert.equal(xss('<IMG SRC=java\0script:alert(\"XSS\")>'), '<img src>');
assert.equal(xss('<IMG SRC=" &#14; javascript:alert(\'XSS\');">'), '<img src="#">'); assert.equal(xss('<IMG SRC=" &#14; javascript:alert(\'XSS\');">'), '<img src>');
assert.equal(xss('<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>'), assert.equal(xss('<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>'),
'&lt;SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/SCRIPT&gt;'); '&lt;SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/SCRIPT&gt;');
@@ -136,15 +136,15 @@ describe('test XSS', function () {
assert.equal(xss('<a style="url(\'javascript:alert(1)\')">', {whiteList: {a: ['style']}}), '<a style>'); assert.equal(xss('<a style="url(\'javascript:alert(1)\')">', {whiteList: {a: ['style']}}), '<a style>');
assert.equal(xss('<IMG SRC=\'vbscript:msgbox("XSS")\'>'), '<img src="#">'); assert.equal(xss('<IMG SRC=\'vbscript:msgbox("XSS")\'>'), '<img src>');
assert.equal(xss('<IMG SRC="livescript:[code]">'), '<img src="#">'); assert.equal(xss('<IMG SRC="livescript:[code]">'), '<img src>');
assert.equal(xss('<IMG SRC="mocha:[code]">'), '<img src="#">'); assert.equal(xss('<IMG SRC="mocha:[code]">'), '<img src>');
assert.equal(xss('<a href="javas/**/cript:alert(\'XSS\');">'), '<a href="#">'); assert.equal(xss('<a href="javas/**/cript:alert(\'XSS\');">'), '<a href>');
assert.equal(xss('<a href="javascript">'), '<a href="#">'); assert.equal(xss('<a href="javascript">'), '<a href>');
assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">'); assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">'); assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
assert.equal(xss('<a href="http://aa.com">'), '<a href="http://aa.com">'); assert.equal(xss('<a href="http://aa.com">'), '<a href="http://aa.com">');
@@ -157,21 +157,21 @@ describe('test XSS', function () {
'&lt;!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert(\'XSS\');&lt;/SCRIPT&gt;&lt;![endif]--&gt;'); '&lt;!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert(\'XSS\');&lt;/SCRIPT&gt;&lt;![endif]--&gt;');
// HTML5新增实体编码 冒号&colon; 换行&NewLine; // HTML5新增实体编码 冒号&colon; 换行&NewLine;
assert.equal(xss('<a href="javascript&colon;alert(/xss/)">'), '<a href="#">'); assert.equal(xss('<a href="javascript&colon;alert(/xss/)">'), '<a href>');
assert.equal(xss('<a href="javascript&colonalert(/xss/)">'), '<a href="#">'); assert.equal(xss('<a href="javascript&colonalert(/xss/)">'), '<a href>');
assert.equal(xss('<a href="a&NewLine;b">'), '<a href="#">'); assert.equal(xss('<a href="a&NewLine;b">'), '<a href>');
assert.equal(xss('<a href="a&NewLineb">'), '<a href="#">'); assert.equal(xss('<a href="a&NewLineb">'), '<a href>');
assert.equal(xss('<a href="javasc&NewLine;ript&colon;alert(1)">'), '<a href="#">'); assert.equal(xss('<a href="javasc&NewLine;ript&colon;alert(1)">'), '<a href>');
// data URI 协议过滤 // data URI 协议过滤
assert.equal(xss('<a href="data:">'), '<a href="#">'); assert.equal(xss('<a href="data:">'), '<a href>');
assert.equal(xss('<a href="d a t a : ">'), '<a href="#">'); assert.equal(xss('<a href="d a t a : ">'), '<a href>');
assert.equal(xss('<a href="data: html/text;">'), '<a href="#">'); assert.equal(xss('<a href="data: html/text;">'), '<a href>');
assert.equal(xss('<a href="data:html/text;">'), '<a href="#">'); assert.equal(xss('<a href="data:html/text;">'), '<a href>');
assert.equal(xss('<a href="data:html /text;">'), '<a href="#">'); assert.equal(xss('<a href="data:html /text;">'), '<a href>');
assert.equal(xss('<a href="data: image/text;">'), '<a href="#">'); assert.equal(xss('<a href="data: image/text;">'), '<a href>');
assert.equal(xss('<img src="data: aaa/text;">'), '<img src="#">'); assert.equal(xss('<img src="data: aaa/text;">'), '<img src>');
assert.equal(xss('<img src="data:image/png; base64; ofdkofiodiofl">'), '<img src="#">'); assert.equal(xss('<img src="data:image/png; base64; ofdkofiodiofl">'), '<img src>');
}); });