leizongmin/js-xss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: update CI badge

Browse Source
This commit is contained in:
Zongmin Lei
2021-05-06 13:55:18 +08:00
parent 831a6a289d
commit 948dfb19c1
2 changed files with 125 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
README.md
View File

@@ -1,5 +1,5 @@
[![NPM version][npm-image]][npm-url]
[![build status][travis-image]][travis-url]
[![Node.js CI](https://github.com/leizongmin/js-xss/actions/workflows/nodejs.yml/badge.svg)](https://github.com/leizongmin/js-xss/actions/workflows/nodejs.yml)
[![Test coverage][coveralls-image]][coveralls-url]
[![David deps][david-image]][david-url]
[![node version][node-image]][node-url]
@@ -8,8 +8,6 @@
[npm-image]: https://img.shields.io/npm/v/xss.svg?style=flat-square
[npm-url]: https://npmjs.org/package/xss
[travis-image]: https://img.shields.io/travis/leizongmin/js-xss.svg?style=flat-square
[travis-url]: https://travis-ci.org/leizongmin/js-xss
[coveralls-image]: https://img.shields.io/coveralls/leizongmin/js-xss.svg?style=flat-square
[coveralls-url]: https://coveralls.io/r/leizongmin/js-xss?branch=master
[david-image]: https://img.shields.io/david/leizongmin/js-xss.svg?style=flat-square
@@ -41,26 +39,26 @@
## Features
* Specifies HTML tags and their attributes allowed with whitelist
* Handle any tags or attributes using custom function.
- Specifies HTML tags and their attributes allowed with whitelist
- Handle any tags or attributes using custom function.
## Reference
* [XSS Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
* [Data URI scheme](http://en.wikipedia.org/wiki/Data_URI_scheme)
* [XSS with Data URI Scheme](http://hi.baidu.com/badzzzz/item/bdbafe83144619c199255f7b)
- [XSS Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
- [Data URI scheme](http://en.wikipedia.org/wiki/Data_URI_scheme)
- [XSS with Data URI Scheme](http://hi.baidu.com/badzzzz/item/bdbafe83144619c199255f7b)
## Benchmark (for references only)
* the xss module: 22.53 MB/s
* `xss()` function from module `validator@0.3.7`: 6.9 MB/s
- the xss module: 22.53 MB/s
- `xss()` function from module `validator@0.3.7`: 6.9 MB/s
For test code please refer to `benchmark` directory.
## They are using xss module
* **nodeclub** - A Node.js bbs using MongoDB - https://github.com/cnodejs/nodeclub
* **cnpmjs.org** - Private npm registry and web for Enterprise - https://github.com/cnpm/cnpmjs.org
- **nodeclub** - A Node.js bbs using MongoDB - https://github.com/cnodejs/nodeclub
- **cnpmjs.org** - Private npm registry and web for Enterprise - https://github.com/cnpm/cnpmjs.org
## Install
@@ -100,7 +98,7 @@ Shim mode (reference file `test/test.html`):
<script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
<script>
// apply function filterXSS in the same way
var html = filterXSS('<script>alert("xss");</scr' + 'ipt>');
var html = filterXSS('<script>alert("xss");</scr' + "ipt>");
alert(html);
</script>
```
@@ -110,16 +108,16 @@ AMD mode - shim:
```html
<script>
require.config({
baseUrl: './',
baseUrl: "./",
paths: {
xss: 'https://rawgit.com/leizongmin/js-xss/master/dist/xss.js'
xss: "https://rawgit.com/leizongmin/js-xss/master/dist/xss.js",
},
shim: {
xss: {exports: 'filterXSS'}
}
})
require(['xss'], function (xss) {
var html = xss('<script>alert("xss");</scr' + 'ipt>');
xss: { exports: "filterXSS" },
},
});
require(["xss"], function (xss) {
var html = xss('<script>alert("xss");</scr' + "ipt>");
alert(html);
});
</script>
@@ -185,8 +183,8 @@ and attributes not in the whitelist would be filter out. For example:
// only tag a and its attributes href, title, target are allowed
var options = {
whiteList: {
a: ["href", "title", "target"]
}
a: ["href", "title", "target"],
},
};
// With the configuration specified above, the following HTML:
// <a href="#" onclick="hello()"><i>Hello</i></a>
@@ -289,9 +287,9 @@ myxss = new xss.FilterXSS({
whiteList: {
position: /^fixed|relative$/,
top: true,
left: true
}
}
left: true,
},
},
});
html = myxss.process('<script>alert("xss");</script>');
```
@@ -300,7 +298,7 @@ If you don't want to filter out the `style` content, just specify `false` to the
```javascript
myxss = new xss.FilterXSS({
css: false
css: false,
});
```
@@ -312,15 +310,18 @@ For more help, please see https://github.com/leizongmin/js-css-filter
By using `stripIgnoreTag` parameter:
* `true` filter out tags not in the whitelist
* `false`: by default: escape the tag using configured `escape` function
- `true` filter out tags not in the whitelist
- `false`: by default: escape the tag using configured `escape` function
Example:
If `stripIgnoreTag = true` is set, the following code:
```html
code:<script>alert(/xss/);</script>
code:
<script>
alert(/xss/);
</script>
```
would output filtered:
@@ -333,16 +334,19 @@ code:alert(/xss/);
By using `stripIgnoreTagBody` parameter:
* `false|null|undefined` by default: do nothing
* `'*'|true`: filter out all tags not in the whitelist
* `['tag1', 'tag2']`: filter out only specified tags not in the whitelist
- `false|null|undefined` by default: do nothing
- `'*'|true`: filter out all tags not in the whitelist
- `['tag1', 'tag2']`: filter out only specified tags not in the whitelist
Example:
If `stripIgnoreTagBody = ['script']` is set, the following code:
```html
code:<script>alert(/xss/);</script>
code:
<script>
alert(/xss/);
</script>
```
would output filtered:
@@ -355,15 +359,16 @@ code:
By using `allowCommentTag` parameter:
* `true`: do nothing
* `false` by default: filter out HTML comments
- `true`: do nothing
- `false` by default: filter out HTML comments
Example:
If `allowCommentTag = false` is set, the following code:
```html
code:<!-- something --> END
code:<!-- something -->
END
```
would output filtered:
@@ -384,7 +389,7 @@ var html = xss(source, {
// escape its value using built-in escapeAttrValue function
return name + '="' + xss.escapeAttrValue(value) + '"';
}
}
},
});
console.log("%s\nconvert to:\n%s", source, html);
@@ -408,7 +413,7 @@ var html = xss(source, {
// do not filter its attributes
return html;
}
}
},
});
console.log("%s\nconvert to:\n%s", source, html);
@@ -417,9 +422,11 @@ console.log("%s\nconvert to:\n%s", source, html);
Result:
```html
<x><x-1>he<x-2 checked></x-2>wwww</x-1><a>
convert to:
&lt;x&gt;<x-1>he<x-2 checked></x-2>wwww</x-1><a>
<x
><x-1>he<x-2 checked></x-2>wwww</x-1
><a>
convert to: &lt;x&gt;<x-1>he<x-2 checked></x-2>wwww</x-1><a></a></a
></x>
```
### Parse images in HTML
@@ -437,7 +444,7 @@ var html = xss(source, {
list.push(xss.friendlyAttrValue(value));
}
// Return nothing, means keep the default handling measure
}
},
});
console.log("image list:\n%s", list.join(", "));
@@ -446,8 +453,7 @@ console.log("image list:\n%s", list.join(", "));
Result:
```html
image list:
img1, img2, img3, img4
image list: img1, img2, img3, img4
```
### Filter out HTML tags (keeps only plain text)
@@ -457,7 +463,7 @@ var source = "<strong>hello</strong><script>alert(/xss/);</script>end";
var html = xss(source, {
whiteList: {}, // empty, means filter out all tags
stripIgnoreTag: true, // filter out all HTML not in the whitelist
stripIgnoreTagBody: ["script"] // the script tag is a special case, we need
stripIgnoreTagBody: ["script"], // the script tag is a special case, we need
// to filter out its content
});

98
README.zh.md
View File

@@ -1,5 +1,5 @@
[![NPM version][npm-image]][npm-url]
[![build status][travis-image]][travis-url]
[![Node.js CI](https://github.com/leizongmin/js-xss/actions/workflows/nodejs.yml/badge.svg)](https://github.com/leizongmin/js-xss/actions/workflows/nodejs.yml)
[![Test coverage][coveralls-image]][coveralls-url]
[![David deps][david-image]][david-url]
[![node version][node-image]][node-url]
@@ -8,8 +8,6 @@
[npm-image]: https://img.shields.io/npm/v/xss.svg?style=flat-square
[npm-url]: https://npmjs.org/package/xss
[travis-image]: https://img.shields.io/travis/leizongmin/js-xss.svg?style=flat-square
[travis-url]: https://travis-ci.org/leizongmin/js-xss
[coveralls-image]: https://img.shields.io/coveralls/leizongmin/js-xss.svg?style=flat-square
[coveralls-url]: https://coveralls.io/r/leizongmin/js-xss?branch=master
[david-image]: https://img.shields.io/david/leizongmin/js-xss.svg?style=flat-square
@@ -36,22 +34,22 @@
## 特性
* 白名单控制允许的 HTML 标签及各标签的属性
* 通过自定义处理函数,可对任意标签及其属性进行处理
- 白名单控制允许的 HTML 标签及各标签的属性
- 通过自定义处理函数,可对任意标签及其属性进行处理
## 参考资料
* [XSS 与字符编码的那些事儿 ---科普文](http://drops.wooyun.org/tips/689)
* [腾讯实例教程:那些年我们一起学 XSS](http://www.wooyun.org/whitehats/%E5%BF%83%E4%BC%A4%E7%9A%84%E7%98%A6%E5%AD%90)
* [mXSS 攻击的成因及常见种类](http://drops.wooyun.org/tips/956)
* [XSS Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
* [Data URI scheme](http://en.wikipedia.org/wiki/Data_URI_scheme)
* [XSS with Data URI Scheme](http://hi.baidu.com/badzzzz/item/bdbafe83144619c199255f7b)
- [XSS 与字符编码的那些事儿 ---科普文](http://drops.wooyun.org/tips/689)
- [腾讯实例教程:那些年我们一起学 XSS](http://www.wooyun.org/whitehats/%E5%BF%83%E4%BC%A4%E7%9A%84%E7%98%A6%E5%AD%90)
- [mXSS 攻击的成因及常见种类](http://drops.wooyun.org/tips/956)
- [XSS Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
- [Data URI scheme](http://en.wikipedia.org/wiki/Data_URI_scheme)
- [XSS with Data URI Scheme](http://hi.baidu.com/badzzzz/item/bdbafe83144619c199255f7b)
## 性能(仅作参考)
* xss 模块22.53 MB/s
* validator@0.3.7 模块的 xss()函数6.9 MB/s
- xss 模块22.53 MB/s
- validator@0.3.7 模块的 xss()函数6.9 MB/s
测试代码参考 benchmark 目录
@@ -93,7 +91,7 @@ Shim 模式(参考文件 `test/test.html`:
<script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
<script>
// 使用函数名 filterXSS用法一样
var html = filterXSS('<script>alert("xss");</scr' + 'ipt>');
var html = filterXSS('<script>alert("xss");</scr' + "ipt>");
alert(html);
</script>
```
@@ -103,16 +101,16 @@ AMD 模式(参考文件 `test/test_amd.html`:
```html
<script>
require.config({
baseUrl: './',
baseUrl: "./",
paths: {
xss: 'https://rawgit.com/leizongmin/js-xss/master/dist/xss.js'
xss: "https://rawgit.com/leizongmin/js-xss/master/dist/xss.js",
},
shim: {
xss: {exports: 'filterXSS'}
}
})
require(['xss'], function (xss) {
var html = xss('<script>alert("xss");</scr' + 'ipt>');
xss: { exports: "filterXSS" },
},
});
require(["xss"], function (xss) {
var html = xss('<script>alert("xss");</scr' + "ipt>");
alert(html);
});
</script>
@@ -174,8 +172,8 @@ html = myxss.process('<script>alert("xss");</script>');
// 只允许a标签该标签只允许href, title, target这三个属性
var options = {
whiteList: {
a: ["href", "title", "target"]
}
a: ["href", "title", "target"],
},
};
// 使用以上配置后下面的HTML
// <a href="#" onclick="hello()"><i>大家好</i></a>
@@ -278,9 +276,9 @@ myxss = new xss.FilterXSS({
whiteList: {
position: /^fixed|relative$/,
top: true,
left: true
}
}
left: true,
},
},
});
html = myxss.process('<script>alert("xss");</script>');
```
@@ -289,7 +287,7 @@ html = myxss.process('<script>alert("xss");</script>');
```javascript
myxss = new xss.FilterXSS({
css: false
css: false,
});
```
@@ -301,15 +299,18 @@ myxss = new xss.FilterXSS({
通过 `stripIgnoreTag` 来设置:
* `true`:去掉不在白名单上的标签
* `false`:(默认),使用配置的`escape`函数对该标签进行转义
- `true`:去掉不在白名单上的标签
- `false`:(默认),使用配置的`escape`函数对该标签进行转义
示例:
当设置 `stripIgnoreTag = true`时,以下代码
```html
code:<script>alert(/xss/);</script>
code:
<script>
alert(/xss/);
</script>
```
过滤后将输出
@@ -322,16 +323,19 @@ code:alert(/xss/);
通过 `stripIgnoreTagBody` 来设置:
* `false|null|undefined`:(默认),不特殊处理
* `'*'|true`:去掉所有不在白名单上的标签
* `['tag1', 'tag2']`:仅去掉指定的不在白名单上的标签
- `false|null|undefined`:(默认),不特殊处理
- `'*'|true`:去掉所有不在白名单上的标签
- `['tag1', 'tag2']`:仅去掉指定的不在白名单上的标签
示例:
当设置 `stripIgnoreTagBody = ['script']`时,以下代码
```html
code:<script>alert(/xss/);</script>
code:
<script>
alert(/xss/);
</script>
```
过滤后将输出
@@ -344,15 +348,16 @@ code:
通过 `allowCommentTag` 来设置:
* `true`:不处理
* `false`:(默认),自动去掉 HTML 中的备注
- `true`:不处理
- `false`:(默认),自动去掉 HTML 中的备注
示例:
当设置 `allowCommentTag = false` 时,以下代码
```html
code:<!-- something --> END
code:<!-- something -->
END
```
过滤后将输出
@@ -373,7 +378,7 @@ var html = xss(source, {
// 通过内置的escapeAttrValue函数来对属性值进行转义
return name + '="' + xss.escapeAttrValue(value) + '"';
}
}
},
});
console.log("%s\nconvert to:\n%s", source, html);
@@ -397,7 +402,7 @@ var html = xss(source, {
// 不对其属性列表进行过滤
return html;
}
}
},
});
console.log("%s\nconvert to:\n%s", source, html);
@@ -406,9 +411,11 @@ console.log("%s\nconvert to:\n%s", source, html);
运行结果:
```html
<x><x-1>he<x-2 checked></x-2>wwww</x-1><a>
convert to:
&lt;x&gt;<x-1>he<x-2 checked></x-2>wwww</x-1><a>
<x
><x-1>he<x-2 checked></x-2>wwww</x-1
><a>
convert to: &lt;x&gt;<x-1>he<x-2 checked></x-2>wwww</x-1><a></a></a
></x>
```
### 分析 HTML 代码中的图片列表
@@ -424,7 +431,7 @@ var html = xss(source, {
list.push(xss.friendlyAttrValue(value));
}
// 不返回任何值,表示还是按照默认的方法处理
}
},
});
console.log("image list:\n%s", list.join(", "));
@@ -433,8 +440,7 @@ console.log("image list:\n%s", list.join(", "));
运行结果:
```html
image list:
img1, img2, img3, img4
image list: img1, img2, img3, img4
```
### 去除 HTML 标签(只保留文本内容)
@@ -444,7 +450,7 @@ var source = "<strong>hello</strong><script>alert(/xss/);</script>end";
var html = xss(source, {
whiteList: {}, // 白名单为空,表示过滤所有标签
stripIgnoreTag: true, // 过滤所有非白名单标签的HTML
stripIgnoreTagBody: ["script"] // script标签较特殊需要过滤标签中间的内容
stripIgnoreTagBody: ["script"], // script标签较特殊需要过滤标签中间的内容
});
console.log("text: %s", html);