leizongmin/js-xss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

添加测试代码,基本能正常使用

Browse Source
This commit is contained in:
leizongmin
2012-09-19 11:10:16 +08:00
parent c82e276188
commit a25c73c8eb
2 changed files with 35 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
index.js
View File

@@ -31,6 +31,8 @@ var defaultWhiteList = {
td: ['style', 'class', 'width', 'colspan'],
th: ['style', 'class', 'width', 'colspan'],
tbody: ['style', 'class'],
ul: ['style', 'class'],
li: ['style', 'class'],
};
/**
@@ -38,9 +40,19 @@ var defaultWhiteList = {
*/
var defaultOnTagAttr = function (tag, attr, value) {
if (attr === 'href' || attr === 'src') {
if (/^[\s"'`]*j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t\s*:/ig.test(value)) {
if (/\/\*|\*\//mg.test(value)) {
return '#';
}
if (/^[\s"'`]*((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/ig.test(value)) {
return '#';
}
} else if (attr === 'style') {
if (/\/\*|\*\//mg.test(value)) {
return '#';
}
if (/((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/ig.test(value)) {
return '';
}
}
};

22
test/test_xss.js
View File

@@ -132,6 +132,28 @@ describe('test XSS', function () {
assert.equal(xss('<SCRIPT SRC=//ha.ckers.org/.j'),
'&lt;SCRIPT SRC=//ha.ckers.org/.j');
assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\')"'),
'&lt;IMG SRC=\"javascript:alert(\'XSS\')"');
assert.equal(xss('<iframe src=http://ha.ckers.org/scriptlet.html <'),
'&lt;iframe src=http://ha.ckers.org/scriptlet.html &lt;');
assert.equal(xss('<a style="url(\'javascript:alert(1)\')">'), '<a style>');
assert.equal(xss('<IMG SRC=\'vbscript:msgbox("XSS")\'>'), '<img src="#">');
assert.equal(xss('<IMG SRC="livescript:[code]">'), '<img src="#">');
assert.equal(xss('<IMG SRC="mocha:[code]">'), '<img src="#">');
assert.equal(xss('<a href="javas/**/cript:alert(\'XSS\');">'), '<a href="#">');
// 这个暂时不知道怎么处理
//assert.equal(xss('¼script¾alert(¢XSS¢)¼/script¾'), '');
assert.equal(xss('<!--[if gte IE 4]><SCRIPT>alert(\'XSS\');</SCRIPT><![endif]-->'),
'&lt;!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert(\'XSS\');&lt;/SCRIPT&gt;&lt;![endif]--&gt;');
});
});