leizongmin/js-xss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update handling of quoteStart to prevent sanitization bypass using non-space whitespace.

Browse Source
This commit is contained in:
Tom Anthony
2021-01-25 21:17:00 +01:00
parent 49a25b4d85
commit 51de741f7b
2 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/parser.js
View File

@@ -89,7 +89,7 @@ function parseTag(html, onTag, escapeHtml) {
var i = 1;
var ic = html.charAt(currentPos - i);
while ((ic === " ") || (ic === "=")) {
while ((ic.trim() === "") || (ic === "=")) {
if (ic === "=") {
quoteStart = c;
continue chariterator;

17
test/test_custom_method.js
View File

@@ -360,7 +360,7 @@ describe("test custom XSS method", function() {
);
});
it("#onTag - sanitize html parameter", function() {
it("#onTag - sanitize html parameter space", function() {
var source = '<a target= " href="><script>alert(2)</script>"><span>';
var i = 0;
var html = xss(source, {
@@ -374,4 +374,19 @@ describe("test custom XSS method", function() {
debug(html);
assert.equal(html, '<a target= " href="><span>&lt;script&gt;alert(2)&lt;/script&gt;"&gt;<span>');
});
it("#onTag - sanitize html parameter tab", function() {
var source = '<a target= " href="><script>alert(2)</script>"><span>';
var i = 0;
var html = xss(source, {
onTag: function(_, E, S) {
if (S.isWhite && "a" === _) {
if (S.isClosing) return "</span></a>";
return "".concat(E, '<span>');
}
}
});
debug(html);
assert.equal(html, '<a target= " href="><span>&lt;script&gt;alert(2)&lt;/script&gt;"&gt;<span>');
});
});