Merge pull request #249 from schu34/ms/add-allowlist-support

feat: add support for allowList as an alias for whiteList

README.md

@@ -194,6 +194,8 @@ var options = {
 
 For the default whitelist, please refer `xss.whiteList`.
 
+`allowList` is also supported, and has the same function as `whiteList`.
+
 ### Customize the handler function for matched tags
 
 By specifying the handler function with `onTag`:

dist/xss.js

@@ -857,7 +857,7 @@ function shallowCopyObject(obj) {
  * FilterXSS class
  *
  * @param {Object} options
- *        whiteList, onTag, onTagAttr, onIgnoreTag,
+ *        whiteList (or allowList), onTag, onTagAttr, onIgnoreTag,
  *        onIgnoreTagAttr, safeAttrValue, escapeHtml
  *        stripIgnoreTagBody, allowCommentTag, stripBlankChar
  *        css{whiteList, onAttr, onIgnoreAttr} `css=false` means don't use `cssfilter`
@@ -874,7 +874,7 @@ function FilterXSS(options) {
     options.onIgnoreTag = DEFAULT.onIgnoreTagStripAll;
   }
 
-  options.whiteList = options.whiteList || DEFAULT.whiteList;
+  options.whiteList = options.whiteList || options.allowList || DEFAULT.whiteList;
   options.onTag = options.onTag || DEFAULT.onTag;
   options.onTagAttr = options.onTagAttr || DEFAULT.onTagAttr;
   options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag;

lib/xss.js

@@ -64,7 +64,7 @@ function shallowCopyObject(obj) {
  * FilterXSS class
  *
  * @param {Object} options
- *        whiteList, onTag, onTagAttr, onIgnoreTag,
+ *        whiteList (or allowList), onTag, onTagAttr, onIgnoreTag,
  *        onIgnoreTagAttr, safeAttrValue, escapeHtml
  *        stripIgnoreTagBody, allowCommentTag, stripBlankChar
  *        css{whiteList, onAttr, onIgnoreAttr} `css=false` means don't use `cssfilter`
@@ -81,7 +81,7 @@ function FilterXSS(options) {
     options.onIgnoreTag = DEFAULT.onIgnoreTagStripAll;
   }
 
-  options.whiteList = options.whiteList || DEFAULT.whiteList;
+  options.whiteList = options.whiteList || options.allowList || DEFAULT.whiteList;
   options.onTag = options.onTag || DEFAULT.onTag;
   options.onTagAttr = options.onTagAttr || DEFAULT.onTagAttr;
   options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag;

test/test_xss.js

@@ -167,6 +167,20 @@ describe("test XSS", function() {
     );
   });
 
+  it("#allowList", ()=>{
+    // 过滤所有标签
+    assert.equal(
+      xss('<a title="xx">bb</a>', { allowList: {} }),
+      '&lt;a title="xx"&gt;bb&lt;/a&gt;'
+    );
+    assert.equal(xss("<hr>", { allowList: {} }), "&lt;hr&gt;");
+    // 增加白名单标签及属性
+    assert.equal(
+      xss('<ooxx yy="ok" cc="no">uu</ooxx>', { allowList: { ooxx: ["yy"] } }),
+      '<ooxx yy="ok">uu</ooxx>'
+    );
+  })
+
   // XSS攻击测试：https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
   it("#XSS_Filter_Evasion_Cheat_Sheet", function() {
     assert.equal(