leizongmin/js-xss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

代码风格

Browse Source
This commit is contained in:
Lei Zongmin
2013-05-07 12:50:56 +08:00
parent bd8397a26d
commit 70ac8f1b79
1 changed files with 33 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
lib/index.js
View File

@@ -47,6 +47,18 @@ var defaultWhiteList = {
video: ['autoplay', 'controls', 'loop', 'preload', 'src', 'height', 'width'], video: ['autoplay', 'controls', 'loop', 'preload', 'src', 'height', 'width'],
}; };
// 正则表达式
var REGEXP_LT = /</g;
var REGEXP_GT = />/g;
var REGEXP_QUOTE = /"/g;
var REGEXP_ATTR_NAME = /[^a-zA-Z0-9_:\.\-]/img;
var REGEXP_ATTR_VALUE = /&#([a-zA-Z0-9]*);?/img;
var REGEXP_DEFAULT_ON_TAG_ATTR_1 = /\/\*|\*\//mg;
var REGEXP_DEFAULT_ON_TAG_ATTR_2 = /^[\s"'`]*((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/ig;
var REGEXP_DEFAULT_ON_TAG_ATTR_3 = /\/\*|\*\//mg;
var REGEXP_DEFAULT_ON_TAG_ATTR_4 = /((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/ig;
/** /**
* 过滤属性值 * 过滤属性值
* *
@@ -55,19 +67,23 @@ var defaultWhiteList = {
* @param {string} value 属性值 * @param {string} value 属性值
* @return {string} 若不需要修改属性值,不返回任何值 * @return {string} 若不需要修改属性值,不返回任何值
*/ */
var defaultOnTagAttr = function (tag, attr, value) { function defaultOnTagAttr (tag, attr, value) {
if (attr === 'href' || attr === 'src') { if (attr === 'href' || attr === 'src') {
if (/\/\*|\*\//mg.test(value)) { REGEXP_DEFAULT_ON_TAG_ATTR_1.lastIndex = 0;
if (REGEXP_DEFAULT_ON_TAG_ATTR_1.test(value)) {
return '#'; return '#';
} }
if (/^[\s"'`]*((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/ig.test(value)) { REGEXP_DEFAULT_ON_TAG_ATTR_2.lastIndex = 0;
if (REGEXP_DEFAULT_ON_TAG_ATTR_2.test(value)) {
return '#'; return '#';
} }
} else if (attr === 'style') { } else if (attr === 'style') {
if (/\/\*|\*\//mg.test(value)) { REGEXP_DEFAULT_ON_TAG_ATTR_3.lastIndex = 0;
if (REGEXP_DEFAULT_ON_TAG_ATTR_3.test(value)) {
return '#'; return '#';
} }
if (/((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/ig.test(value)) { REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;
if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) {
return ''; return '';
} }
} }
@@ -84,7 +100,7 @@ var defaultOnTagAttr = function (tag, attr, value) {
* isClosing是否为闭合标签如</a> * isClosing是否为闭合标签如</a>
* @return {string} 若不返回任何值,则默认替换<>为&lt;&gt; * @return {string} 若不返回任何值,则默认替换<>为&lt;&gt;
*/ */
var defaultOnIgnoreTag = function (tag, html, options) { function defaultOnIgnoreTag (tag, html, options) {
return noTag(html); return noTag(html);
}; };
@@ -95,10 +111,12 @@ var defaultOnIgnoreTag = function (tag, html, options) {
* @param {string} text * @param {string} text
* @return {string} * @return {string}
*/ */
var noTag = function (text) { function noTag (text) {
return text.replace(/</g, '&lt;').replace(/>/g, '&gt;'); return text.replace(REGEXP_LT, '&lt;').replace(REGEXP_GT, '&gt;');
}; };
/** /**
* XSS过滤 * XSS过滤
* *
@@ -106,7 +124,7 @@ var noTag = function (text) {
* @param {object} options 选项whiteList, onTagAttr, onIgnoreTag * @param {object} options 选项whiteList, onTagAttr, onIgnoreTag
* @return {string} * @return {string}
*/ */
exports = module.exports = function (html, options) { function filterXSS (html, options) {
'use strict'; 'use strict';
options = options || {}; options = options || {};
@@ -123,7 +141,7 @@ exports = module.exports = function (html, options) {
/** /**
* 过滤不合法的属性 * 过滤不合法的属性
*/ */
var filterAttributes = function (tagName, attrs) { function filterAttributes (tagName, attrs) {
tagName = tagName.toLowerCase(); tagName = tagName.toLowerCase();
var whites = whiteList[tagName]; var whites = whiteList[tagName];
var lastPos = 0; var lastPos = 0;
@@ -136,13 +154,13 @@ exports = module.exports = function (html, options) {
hasSprit = true; hasSprit = true;
return; return;
}; };
name = name.replace(/[^a-zA-Z0-9_:\.\-]/img, '').toLowerCase(); name = name.replace(REGEXP_ATTR_NAME, '').toLowerCase();
if (name.length < 1) return; if (name.length < 1) return;
if (whites.indexOf(name) !== -1) { if (whites.indexOf(name) !== -1) {
if (value) { if (value) {
value = value.trim().replace(/"/g, '&quote;'); value = value.trim().replace(REGEXP_QUOTE, '&quote;');
// 转换unicode字符 及过滤不可见字符 // 转换unicode字符 及过滤不可见字符
value = value.replace(/&#([a-zA-Z0-9]*);?/img, function (str, code) { value = value.replace(REGEXP_ATTR_VALUE, function (str, code) {
code = parseInt(code); code = parseInt(code);
return String.fromCharCode(code); return String.fromCharCode(code);
}); });
@@ -207,7 +225,7 @@ exports = module.exports = function (html, options) {
/** /**
* 检查标签是否合法 * 检查标签是否合法
*/ */
var addNewTag = function (tag, end) { function addNewTag (tag, end) {
rethtml += noTag(html.slice(lastPos, tagStart)); rethtml += noTag(html.slice(lastPos, tagStart));
lastPos = end + 1; lastPos = end + 1;
var spos = tag.slice(0, 2) === '</' ? 2 : 1; var spos = tag.slice(0, 2) === '</' ? 2 : 1;
@@ -282,6 +300,7 @@ exports = module.exports = function (html, options) {
}; };
// 默认配置 // 默认配置
exports = module.exports = filterXSS;
exports.whiteList = defaultWhiteList; exports.whiteList = defaultWhiteList;
exports.onTagAttr = defaultOnTagAttr; exports.onTagAttr = defaultOnTagAttr;
exports.onIgnoreTag = defaultOnIgnoreTag; exports.onIgnoreTag = defaultOnIgnoreTag;