自动清除不可见字符

2015-01-20 13:06:54 +08:00
parent 6353e5c110
commit 97d0bdf516
3 changed files with 17 additions and 0 deletions
--- a/lib/default.js
+++ b/lib/default.js
@@ -355,6 +355,16 @@ function stripCommentTag (html) {
 }
 var STRIP_COMMENT_TAG_REGEXP = /<!--[\s\S]*?-->/g;

+/**
+ * 去除不可见字符
+ *
+ * @param {String} html
+ * @return {String}
+ */
+function stripBlankChar (html) {
+  return html.replace(/[\u0000-\u001F]|\u007F/g, '');
+}
+

 exports.whiteList = whiteList;
 exports.onTag = onTag;
@@ -373,3 +383,4 @@ exports.escapeAttrValue = escapeAttrValue;
 exports.onIgnoreTagStripAll = onIgnoreTagStripAll;
 exports.StripTagBody = StripTagBody;
 exports.stripCommentTag = stripCommentTag;
+exports.stripBlankChar = stripBlankChar;
--- a/lib/xss.js
+++ b/lib/xss.js
@@ -84,6 +84,9 @@ FilterXSS.prototype.process = function (html) {
  html = html.toString();
  if (!html) return '';

+  // 去除不可见字符
+  html = DEFAULT.stripBlankChar(html);
+
  var me = this;
  var options = me.options;
  var whiteList = options.whiteList;
--- a/test/test_xss.js
+++ b/test/test_xss.js
@@ -18,6 +18,9 @@ describe('test XSS', function () {
    assert.equal(xss(123), '123');
    assert.equal(xss({a: 1111}), '[object Object]');

+    // 清除不可见字符
+    assert.equal(xss('a\u0000\u0001\u0002b'), 'ab');
+
    // 过滤不在白名单的标签
    assert.equal(xss('<b>abcd</b>'), '<b>abcd</b>');
    assert.equal(xss('<o>abcd</o>'), '&lt;o&gt;abcd&lt;/o&gt;');