href和src属性,如果被过滤则返回空值
This commit is contained in:
Zongmin Lei
@@ -119,15 +119,16 @@ function safeAttrValue (tag, name, value) {
|
||||
// 过滤 href 和 src 属性
|
||||
// 仅允许 http:// | https:// | / 开头的地址
|
||||
value = value.trim();
|
||||
if (value === '#') return '#';
|
||||
if (value && !REGEXP_DEFAULT_ON_TAG_ATTR_1.test(value)) {
|
||||
return '#';
|
||||
return '';
|
||||
}
|
||||
} else if (name === 'style') {
|
||||
// 过滤 style 属性 (这个xss漏洞较老了,可能已经不适用)
|
||||
// javascript:
|
||||
REGEXP_DEFAULT_ON_TAG_ATTR_3.lastIndex = 0;
|
||||
if (REGEXP_DEFAULT_ON_TAG_ATTR_3.test(value)) {
|
||||
return '#';
|
||||
return '';
|
||||
}
|
||||
// /*注释*/
|
||||
REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;
|
||||
|
||||
@@ -238,7 +238,7 @@ describe('test custom XSS method', function () {
|
||||
var source = '<a href="javascript:alert(/xss/)" title="hi">link</a>';
|
||||
var html = xss(source);
|
||||
console.log(html);
|
||||
assert.equal(html, '<a href="#" title="hi">link</a>');
|
||||
assert.equal(html, '<a href title="hi">link</a>');
|
||||
});
|
||||
|
||||
it('#safeAttrValue - return new value', function () {
|
||||
|
||||
@@ -52,9 +52,9 @@ describe('test XSS', function () {
|
||||
assert.equal(xss('<a title=abc(\'d\')>'), '<a title="abc(\'d\')">');
|
||||
|
||||
// 单个闭合标签
|
||||
assert.equal(xss('<img src="#"/>'), '<img src="#" />');
|
||||
assert.equal(xss('<img src="#" />'), '<img src="#" />');
|
||||
assert.equal(xss('<img src="#"//>'), '<img src="#" />');
|
||||
assert.equal(xss('<img src/>'), '<img src />');
|
||||
assert.equal(xss('<img src />'), '<img src />');
|
||||
assert.equal(xss('<img src//>'), '<img src />');
|
||||
assert.equal(xss('<br/>'), '<br />');
|
||||
assert.equal(xss('<br />'), '<br />');
|
||||
|
||||
@@ -82,36 +82,36 @@ describe('test XSS', function () {
|
||||
assert.equal(xss('<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'),
|
||||
'<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>');
|
||||
|
||||
assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\');">'), '<img src="#">');
|
||||
assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\');">'), '<img src>');
|
||||
|
||||
assert.equal(xss('<IMG SRC=javascript:alert(\'XSS\')>'), '<img src="#">');
|
||||
assert.equal(xss('<IMG SRC=javascript:alert(\'XSS\')>'), '<img src>');
|
||||
|
||||
assert.equal(xss('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>'), '<img src="#">');
|
||||
assert.equal(xss('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>'), '<img src>');
|
||||
|
||||
assert.equal(xss('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>'), '<img src="#">');
|
||||
assert.equal(xss('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>'), '<img src>');
|
||||
|
||||
assert.equal(xss('<IMG """><SCRIPT>alert("XSS")</SCRIPT>">'), '<img>');
|
||||
|
||||
assert.equal(xss('<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>'), '<img src="#">');
|
||||
assert.equal(xss('<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>'), '<img src>');
|
||||
|
||||
assert.equal(xss('<IMG SRC=javascript:alert('XSS')>'),
|
||||
'<img src="#">');
|
||||
'<img src>');
|
||||
|
||||
assert.equal(xss('<IMG SRC=javascript:alert('XSS')>'),
|
||||
'<img src="#">');
|
||||
'<img src>');
|
||||
|
||||
assert.equal(xss('<IMG SRC=javascript:alert('XSS')>'),
|
||||
'<img src="#">');
|
||||
'<img src>');
|
||||
|
||||
assert.equal(xss('<IMG SRC="jav ascript:alert(\'XSS\');">'), '<img src="#">');
|
||||
assert.equal(xss('<IMG SRC="jav ascript:alert(\'XSS\');">'), '<img src>');
|
||||
|
||||
assert.equal(xss('<IMG SRC="jav	ascript:alert(\'XSS\');">'), '<img src="#">');
|
||||
assert.equal(xss('<IMG SRC="jav	ascript:alert(\'XSS\');">'), '<img src>');
|
||||
|
||||
assert.equal(xss('<IMG SRC="jav\nascript:alert(\'XSS\');">'), '<img src="#">');
|
||||
assert.equal(xss('<IMG SRC="jav\nascript:alert(\'XSS\');">'), '<img src>');
|
||||
|
||||
assert.equal(xss('<IMG SRC=java\0script:alert(\"XSS\")>'), '<img src="#">');
|
||||
assert.equal(xss('<IMG SRC=java\0script:alert(\"XSS\")>'), '<img src>');
|
||||
|
||||
assert.equal(xss('<IMG SRC="  javascript:alert(\'XSS\');">'), '<img src="#">');
|
||||
assert.equal(xss('<IMG SRC="  javascript:alert(\'XSS\');">'), '<img src>');
|
||||
|
||||
assert.equal(xss('<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>'),
|
||||
'<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>');
|
||||
@@ -136,15 +136,15 @@ describe('test XSS', function () {
|
||||
|
||||
assert.equal(xss('<a style="url(\'javascript:alert(1)\')">', {whiteList: {a: ['style']}}), '<a style>');
|
||||
|
||||
assert.equal(xss('<IMG SRC=\'vbscript:msgbox("XSS")\'>'), '<img src="#">');
|
||||
assert.equal(xss('<IMG SRC=\'vbscript:msgbox("XSS")\'>'), '<img src>');
|
||||
|
||||
assert.equal(xss('<IMG SRC="livescript:[code]">'), '<img src="#">');
|
||||
assert.equal(xss('<IMG SRC="livescript:[code]">'), '<img src>');
|
||||
|
||||
assert.equal(xss('<IMG SRC="mocha:[code]">'), '<img src="#">');
|
||||
assert.equal(xss('<IMG SRC="mocha:[code]">'), '<img src>');
|
||||
|
||||
assert.equal(xss('<a href="javas/**/cript:alert(\'XSS\');">'), '<a href="#">');
|
||||
assert.equal(xss('<a href="javas/**/cript:alert(\'XSS\');">'), '<a href>');
|
||||
|
||||
assert.equal(xss('<a href="javascript">'), '<a href="#">');
|
||||
assert.equal(xss('<a href="javascript">'), '<a href>');
|
||||
assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
|
||||
assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
|
||||
assert.equal(xss('<a href="http://aa.com">'), '<a href="http://aa.com">');
|
||||
@@ -157,21 +157,21 @@ describe('test XSS', function () {
|
||||
'<!--[if gte IE 4]><SCRIPT>alert(\'XSS\');</SCRIPT><![endif]-->');
|
||||
|
||||
// HTML5新增实体编码 冒号: 换行

|
||||
assert.equal(xss('<a href="javascript:alert(/xss/)">'), '<a href="#">');
|
||||
assert.equal(xss('<a href="javascript&colonalert(/xss/)">'), '<a href="#">');
|
||||
assert.equal(xss('<a href="a
b">'), '<a href="#">');
|
||||
assert.equal(xss('<a href="a&NewLineb">'), '<a href="#">');
|
||||
assert.equal(xss('<a href="javasc
ript:alert(1)">'), '<a href="#">');
|
||||
assert.equal(xss('<a href="javascript:alert(/xss/)">'), '<a href>');
|
||||
assert.equal(xss('<a href="javascript&colonalert(/xss/)">'), '<a href>');
|
||||
assert.equal(xss('<a href="a
b">'), '<a href>');
|
||||
assert.equal(xss('<a href="a&NewLineb">'), '<a href>');
|
||||
assert.equal(xss('<a href="javasc
ript:alert(1)">'), '<a href>');
|
||||
|
||||
// data URI 协议过滤
|
||||
assert.equal(xss('<a href="data:">'), '<a href="#">');
|
||||
assert.equal(xss('<a href="d a t a : ">'), '<a href="#">');
|
||||
assert.equal(xss('<a href="data: html/text;">'), '<a href="#">');
|
||||
assert.equal(xss('<a href="data:html/text;">'), '<a href="#">');
|
||||
assert.equal(xss('<a href="data:html /text;">'), '<a href="#">');
|
||||
assert.equal(xss('<a href="data: image/text;">'), '<a href="#">');
|
||||
assert.equal(xss('<img src="data: aaa/text;">'), '<img src="#">');
|
||||
assert.equal(xss('<img src="data:image/png; base64; ofdkofiodiofl">'), '<img src="#">');
|
||||
assert.equal(xss('<a href="data:">'), '<a href>');
|
||||
assert.equal(xss('<a href="d a t a : ">'), '<a href>');
|
||||
assert.equal(xss('<a href="data: html/text;">'), '<a href>');
|
||||
assert.equal(xss('<a href="data:html/text;">'), '<a href>');
|
||||
assert.equal(xss('<a href="data:html /text;">'), '<a href>');
|
||||
assert.equal(xss('<a href="data: image/text;">'), '<a href>');
|
||||
assert.equal(xss('<img src="data: aaa/text;">'), '<img src>');
|
||||
assert.equal(xss('<img src="data:image/png; base64; ofdkofiodiofl">'), '<img src>');
|
||||
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user