fix cssFilter, allow pass css=false to disable cssFilter

README.md

@@ -301,6 +301,14 @@ myxss = new xss.FilterXSS({
 html = myxss.process('<script>alert("xss");</script>');
 ```
 
+If you don't want to filter out the `style` content, just specify `false` to the `css` option:
+
+```javascript
+myxss = new xss.FilterXSS({
+  css: false,
+});
+```
+
 For more help, please see https://github.com/leizongmin/js-css-filter
 
 ### Quick Start

README.zh.md

@@ -296,6 +296,14 @@ myxss = new xss.FilterXSS({
 html = myxss.process('<script>alert("xss");</script>');
 ```
 
+如果不想使用 CSS 过滤器来处理 `style` 属性的内容，可指定 `css` 选项的值为 `false`：
+
+```javascript
+myxss = new xss.FilterXSS({
+  css: false,
+});
+```
+
 要获取更多的帮助信息可看这里：https://github.com/leizongmin/js-css-filter
 
 ### 快捷配置

lib/default.js

@@ -5,6 +5,7 @@
  */
 
 var FilterCSS = require('cssfilter').FilterCSS;
+var getDefaultCSSWhiteList = require('cssfilter').getDefaultWhiteList;
 var _ = require('./util');
 
 // 默认白名单
@@ -146,7 +147,6 @@ function escapeHtml (html) {
  * @return {String}
  */
 function safeAttrValue (tag, name, value, cssFilter) {
-  cssFilter = cssFilter || defaultCSSFilter;
   // 转换为友好的属性值，再做判断
   value = friendlyAttrValue(value);
 
@@ -188,7 +188,10 @@ function safeAttrValue (tag, name, value, cssFilter) {
         return '';
       }
     }
-    value = cssFilter.process(value);
+    if (cssFilter !== false) {
+      cssFilter = cssFilter || defaultCSSFilter;
+      value = cssFilter.process(value);
+    }
   }
 
   // 输出时需要转义<>"
@@ -407,4 +410,4 @@ exports.StripTagBody = StripTagBody;
 exports.stripCommentTag = stripCommentTag;
 exports.stripBlankChar = stripBlankChar;
 exports.cssFilter = defaultCSSFilter;
-
+exports.getDefaultCSSWhiteList = getDefaultCSSWhiteList;

lib/xss.js

@@ -54,7 +54,7 @@ function getAttrs (html) {
  *   选项：whiteList, onTag, onTagAttr, onIgnoreTag,
  *        onIgnoreTagAttr, safeAttrValue, escapeHtml
  *        stripIgnoreTagBody, allowCommentTag, stripBlankChar
- *        css{whiteList, onAttr, onIgnoreAttr}
+ *        css{whiteList, onAttr, onIgnoreAttr} css=false表示禁用cssfilter
  */
 function FilterXSS (options) {
   options = options || {};
@@ -73,10 +73,14 @@ function FilterXSS (options) {
   options.onIgnoreTagAttr = options.onIgnoreTagAttr || DEFAULT.onIgnoreTagAttr;
   options.safeAttrValue = options.safeAttrValue || DEFAULT.safeAttrValue;
   options.escapeHtml = options.escapeHtml || DEFAULT.escapeHtml;
-  options.css = options.css || {};
   this.options = options;
 
-  this.cssFilter = new FilterCSS(options.css);
+  if (options.css === false) {
+    this.cssFilter = false;
+  } else {
+    options.css = options.css || {};
+    this.cssFilter = new FilterCSS(options.css);
+  }
 }
 
 /**

test/test_custom_method.js

@@ -323,4 +323,17 @@ describe('test custom XSS method', function () {
     assert.equal(html, 'ooxx');
   });
 
+  it('cssFilter', function () {
+    var whiteList = xss.getDefaultWhiteList();
+    whiteList.div.push('style');
+    assert.equal(xss('<div style="width: 50%; vertical-align: top;">hello</div>', { whiteList: whiteList }),
+                     '<div style="width:50%;">hello</div>');
+    assert.equal(xss('<div style="width: 50%; vertical-align: top;">hello</div>', { whiteList: whiteList, css: false }),
+                     '<div style="width: 50%; vertical-align: top;">hello</div>');
+    var css = { whiteList: xss.getDefaultCSSWhiteList() };
+    css.whiteList['vertical-align'] = true;
+    assert.equal(xss('<div style="width: 50%; vertical-align: top;">hello</div>', { whiteList: whiteList, css: css }),
+                     '<div style="width:50%; vertical-align:top;">hello</div>');
+  });
+
 });