From 857fa9de67b1fbb04051e88f8a3f16f6162d9a12 Mon Sep 17 00:00:00 2001 From: Zongmin Lei Date: Sun, 6 Nov 2016 11:06:02 +0800 Subject: [PATCH] fix cssFilter, allow pass css=false to disable cssFilter --- README.md | 8 ++++++++ README.zh.md | 8 ++++++++ lib/default.js | 9 ++++++--- lib/xss.js | 10 +++++++--- test/test_custom_method.js | 13 +++++++++++++ 5 files changed, 42 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 0084ac9..14f30b5 100644 --- a/README.md +++ b/README.md @@ -301,6 +301,14 @@ myxss = new xss.FilterXSS({ html = myxss.process(''); ``` +If you don't want to filter out the `style` content, just specify `false` to the `css` option: + +```javascript +myxss = new xss.FilterXSS({ + css: false, +}); +``` + For more help, please see https://github.com/leizongmin/js-css-filter ### Quick Start diff --git a/README.zh.md b/README.zh.md index 1163e05..221731c 100644 --- a/README.zh.md +++ b/README.zh.md @@ -296,6 +296,14 @@ myxss = new xss.FilterXSS({ html = myxss.process(''); ``` +如果不想使用 CSS 过滤器来处理 `style` 属性的内容,可指定 `css` 选项的值为 `false`: + +```javascript +myxss = new xss.FilterXSS({ + css: false, +}); +``` + 要获取更多的帮助信息可看这里:https://github.com/leizongmin/js-css-filter ### 快捷配置 diff --git a/lib/default.js b/lib/default.js index 9816d34..fe079e4 100644 --- a/lib/default.js +++ b/lib/default.js @@ -5,6 +5,7 @@ */ var FilterCSS = require('cssfilter').FilterCSS; +var getDefaultCSSWhiteList = require('cssfilter').getDefaultWhiteList; var _ = require('./util'); // 默认白名单 @@ -146,7 +147,6 @@ function escapeHtml (html) { * @return {String} */ function safeAttrValue (tag, name, value, cssFilter) { - cssFilter = cssFilter || defaultCSSFilter; // 转换为友好的属性值,再做判断 value = friendlyAttrValue(value); @@ -188,7 +188,10 @@ function safeAttrValue (tag, name, value, cssFilter) { return ''; } } - value = cssFilter.process(value); + if (cssFilter !== false) { + cssFilter = cssFilter || defaultCSSFilter; + value = cssFilter.process(value); + } } // 输出时需要转义<>" @@ -407,4 +410,4 @@ exports.StripTagBody = StripTagBody; exports.stripCommentTag = stripCommentTag; exports.stripBlankChar = stripBlankChar; exports.cssFilter = defaultCSSFilter; - +exports.getDefaultCSSWhiteList = getDefaultCSSWhiteList; diff --git a/lib/xss.js b/lib/xss.js index 27f69ea..d66ec72 100644 --- a/lib/xss.js +++ b/lib/xss.js @@ -54,7 +54,7 @@ function getAttrs (html) { * 选项:whiteList, onTag, onTagAttr, onIgnoreTag, * onIgnoreTagAttr, safeAttrValue, escapeHtml * stripIgnoreTagBody, allowCommentTag, stripBlankChar - * css{whiteList, onAttr, onIgnoreAttr} + * css{whiteList, onAttr, onIgnoreAttr} css=false表示禁用cssfilter */ function FilterXSS (options) { options = options || {}; @@ -73,10 +73,14 @@ function FilterXSS (options) { options.onIgnoreTagAttr = options.onIgnoreTagAttr || DEFAULT.onIgnoreTagAttr; options.safeAttrValue = options.safeAttrValue || DEFAULT.safeAttrValue; options.escapeHtml = options.escapeHtml || DEFAULT.escapeHtml; - options.css = options.css || {}; this.options = options; - this.cssFilter = new FilterCSS(options.css); + if (options.css === false) { + this.cssFilter = false; + } else { + options.css = options.css || {}; + this.cssFilter = new FilterCSS(options.css); + } } /** diff --git a/test/test_custom_method.js b/test/test_custom_method.js index 2d5b95e..b80a35f 100644 --- a/test/test_custom_method.js +++ b/test/test_custom_method.js @@ -323,4 +323,17 @@ describe('test custom XSS method', function () { assert.equal(html, 'ooxx'); }); + it('cssFilter', function () { + var whiteList = xss.getDefaultWhiteList(); + whiteList.div.push('style'); + assert.equal(xss('
hello
', { whiteList: whiteList }), + '
hello
'); + assert.equal(xss('
hello
', { whiteList: whiteList, css: false }), + '
hello
'); + var css = { whiteList: xss.getDefaultCSSWhiteList() }; + css.whiteList['vertical-align'] = true; + assert.equal(xss('
hello
', { whiteList: whiteList, css: css }), + '
hello
'); + }); + }); \ No newline at end of file