leizongmin/js-xss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
415 Commits 1 Branch 0 Tags
1e34b3de232ab769151e09d13cab9f839de5f6f4
Commit Graph

98 Commits

Author SHA1 Message Date
lumburr
1e34b3de23 feat: add eslint:recommended check 2022-03-09 19:39:57 +08:00
Matthew Benjamin Schupack
6914bbaf93 feat: add support for allowList as an alias for whiteList 2021-12-13 13:29:29 -05:00
Zongmin Lei
699acdea7d fix: #239 stripCommentTag DoS attack 2021-10-08 16:23:28 +08:00
Zongmin Lei
901b771960 style: reformat all source code by prettier 2021-05-06 13:32:47 +08:00
Zongmin Lei
005098be59 feat: Add <strike> to default whitelist 2021-05-06 13:11:03 +08:00
Zongmin Lei
dcf1486845 feat: Add <audio crossorigin muted>, <video crossorigin muted playsinline poster> to default whitelist 2021-05-06 13:08:35 +08:00
老雷
f4c0b29c3f Merge pull request #220 from daraz999/patch-1 
Add <figure> and <figcaption> to default whitelist
 2021-05-06 12:53:28 +08:00
Zongmin Lei
2f5dd55ca0 fix: recover <summary> on the default whitelist 2021-05-06 12:47:47 +08:00
Darius Smaliukas
0024eefd42 Add <figure> and <figcaption> to default whitelist 
* Figure https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figure
* Figcaption https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figcaption

Most RSS feeds are using these tags to wrap around media content. I propose to add these tags to the default whitelist because they don't require any attribute and do not open any XSS vulnerability
 2021-02-19 17:08:18 +02:00
Tom Anthony
51de741f7b Update handling of quoteStart to prevent sanitization bypass using non-space whitespace. 2021-01-25 21:17:00 +01:00
Tim Gates
cf5a36696a docs: Fix simple typo, doube -> double 
There is a small typo in dist/xss.js, lib/default.js.

Should read `double` rather than `doube`.
 2020-09-01 07:48:41 +10:00
Tom Anthony
379d181273 Make coding style project consistent. 2020-07-24 10:41:06 +01:00
Tom Anthony
f454fd76e6 Update handling of quoteStart to allow for whitespace after =. Add a new test case for this failure scenario. 2020-07-22 23:40:13 +01:00
sijanec
8efd6327ae fix, as suggested by Ronald J Kimball 2020-02-22 21:59:36 +01:00
sijanec
07ac8b16c1 added support for src embedded image, ftp and relative urls 
Those can't contain playloads. Reference to the issue #174
 2020-02-09 00:24:43 +01:00
Simon Bertrang
4c66d6e388 Update parser.js 
Actually turn on strict mode.
 2019-03-27 09:30:16 +01:00
Zongmin Lei
e1cc74c649 export function filterXSS 2019-03-20 14:07:13 +08:00
Aleksander Tatarczyk
4342f7788c Fix 'DedicatedWorkerGlobalScope is not defined' error on Web env 2018-05-24 16:55:00 +02:00
Zongmin Lei
58d1140d20 feat: support for Web Worker env issue #124 2018-05-24 15:49:29 +08:00
Zongmin Lei
2b853a9d8d fix issue #122 use undefined variable currentHtml 2017-12-29 09:53:17 +08:00
Zongmin Lei
17f322fde2 fix issue #120, tag in whiteList should be replaced with whiteList.hasOwnProperty(tag) 2017-12-21 15:06:39 +08:00
Zongmin Lei
9b85b8f2d6 reformat by prettier 2017-12-21 14:22:34 +08:00
Zongmin Lei
32a4bece31 translate all comments to English 2017-12-21 14:19:10 +08:00
Christian Schoeppler
2728bb88f7 added tel number handling for links 2017-11-24 13:57:30 +01:00
ztree
903769c37d passed test: 
assert.equal(xss('<a\ttarget="_blank"\ntitle="bbb">'), '<a target="_blank" title="bbb">');
    assert.equal(xss('<a\ntarget="_blank"\ttitle="bbb">'), '<a target="_blank" title="bbb">');
    assert.equal(xss('<a\n\n\n\ttarget="_blank"\t\t\t\ntitle="bbb">'), '<a target="_blank" title="bbb">');
 2017-08-31 16:41:44 +08:00
ztree
a3982311a9 HTML Tag 内的属性间隔支持 \t 2017-08-30 10:10:39 +08:00
老雷
e4ff2cf93a Merge pull request #109 from zTree/master 
parseAttr 对特殊 html 进行支持(例如 word 复制的 html 内容)
 2017-08-29 13:56:00 +08:00
zTree
b0fa6e9fc1 Update parser.js 
对特殊 html 进行支持(例如 word 复制的 html 内容)

如果只通过 空格进行区分,就会出现以下问题:
```
<img width=100 height=200
src='....'/>
```

这种没有空格,只有换行的 html 转换后会变为

```
<img width="100" height="200 src=&quot;....&quot;“/>
```
 2017-08-21 10:54:15 +08:00
Zongmin Lei
3ecf8542a0 fix: issue #66 no options mutated 2016-12-20 09:13:35 +08:00
Zongmin Lei
857fa9de67 fix cssFilter, allow pass css=false to disable cssFilter 2016-11-06 11:06:02 +08:00
zTree
2e5f217c99 Update default.js 
td / th 居然白名单里面没有 rowspan 属性,这个强烈建议加入到默认白名单的, 否则合并单元格 的 代码中 rowspan 会被直接干掉。
 2016-05-05 12:33:01 +08:00
Dima_Ryskin
08b5fd058b removed AMD 'define' call, since when bundled with other modules, only the first define() call actually registers the module (which would be one of the dependencies) 2016-04-24 16:09:16 +03:00
Zongmin Lei
9fa13afd66 add getDefaultWhiteList() 2015-12-23 12:33:46 +08:00
Zongmin Lei
d93d6334d2 make cli better 2015-12-23 12:29:40 +08:00
Zongmin Lei
0a18ac740b fix stripIgnoreTagBody on file xss.js 2015-12-23 12:22:39 +08:00
Zongmin Lei
ac93b2ef4b 修正 issue #41 href默认允许#开头 2015-12-01 22:11:03 +08:00
Zongmin Lei
fb5891fa7c Fixed issue #40 start quote only when the previous char is = 2015-08-18 18:33:56 +08:00
chengbapi
df0b76992d Update parser.js 
IE7中不支持string[index]的用法改用slice做兼容
 2015-08-04 15:32:27 +08:00
Zongmin Lei
55924144c6 v0.2.5 2015-08-04 08:51:31 +08:00
Zongmin Lei
fb6364d431 Fixed issue #37 support unstrict HTML format: allow spaces between attribute name and attribute value 2015-08-02 21:20:36 +08:00
Zongmin Lei
b5902962ad Fixed issue #36 safeAttrValue() check if cssFilter argument is undefined then use an default cssFilter 2015-07-30 12:00:08 +08:00
Zongmin Lei
d021705d99 v0.2.1 修正util问题 2015-05-06 00:45:28 +08:00
Zongmin Lei
994f1a7045 v0.2.0 使用cssfilter模块来过滤style属性 2015-05-05 22:50:56 +08:00
josephj
231458ea48 避免窜改 Array.prototype 2015-03-27 22:02:03 +11:00
Zongmin Lei
6249d4cf2a 过滤是通过设置stripBlankChar=true来过滤不可见字符 2015-01-22 14:20:55 +08:00
Zongmin Lei
89c6930b9e 取消自动清除不可见字符 2015-01-22 14:07:17 +08:00
Zongmin Lei
97d0bdf516 自动清除不可见字符 2015-01-20 13:06:54 +08:00
Zongmin Lei
85594379e2 支持AMD 2015-01-16 20:27:23 +08:00
Zongmin Lei
c7bd9c0fc4 兼容各种奇葩输入 2015-01-12 14:04:29 +08:00
Zongmin Lei
e71fce8974 fixed issue #25, "&quote;" should be "&quot;" 2014-12-06 16:25:35 +08:00