suji Kim
|
ae15483e9e
|
feat: add <kbd> to default whitelist (#279)
|
2024-03-03 10:24:26 +08:00 |
|
mdk000
|
bedb0c09db
|
feat: single-quoted attribute value syntax support (#287)
|
2024-03-03 10:21:40 +08:00 |
|
Adam Zielinski
|
8884b21308
|
feat: Allow loading attribute on img (#278)
Signed-off-by: maosmurf <github@maosmurf.com>
|
2023-03-23 10:19:18 +08:00 |
|
LEI Zongmin
|
352ae5331f
|
Revert "fix: comment has encoded (#257)"
This reverts commit 9f6a37b34d.
|
2022-06-06 23:59:59 +08:00 |
|
lumburr
|
9f6a37b34d
|
fix: comment has encoded (#257)
|
2022-05-27 22:57:50 +08:00 |
|
lumburr
|
1e34b3de23
|
feat: add eslint:recommended check
|
2022-03-09 19:39:57 +08:00 |
|
Zongmin Lei
|
699acdea7d
|
fix: #239 stripCommentTag DoS attack
|
2021-10-08 16:23:28 +08:00 |
|
Zongmin Lei
|
005098be59
|
feat: Add <strike> to default whitelist
|
2021-05-06 13:11:03 +08:00 |
|
Zongmin Lei
|
dcf1486845
|
feat: Add <audio crossorigin muted>, <video crossorigin muted playsinline poster> to default whitelist
|
2021-05-06 13:08:35 +08:00 |
|
老雷
|
f4c0b29c3f
|
Merge pull request #220 from daraz999/patch-1
Add <figure> and <figcaption> to default whitelist
|
2021-05-06 12:53:28 +08:00 |
|
Zongmin Lei
|
2f5dd55ca0
|
fix: recover <summary> on the default whitelist
|
2021-05-06 12:47:47 +08:00 |
|
Darius Smaliukas
|
0024eefd42
|
Add <figure> and <figcaption> to default whitelist
* Figure https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figure
* Figcaption https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figcaption
Most RSS feeds are using these tags to wrap around media content. I propose to add these tags to the default whitelist because they don't require any attribute and do not open any XSS vulnerability
|
2021-02-19 17:08:18 +02:00 |
|
Tim Gates
|
cf5a36696a
|
docs: Fix simple typo, doube -> double
There is a small typo in dist/xss.js, lib/default.js.
Should read `double` rather than `doube`.
|
2020-09-01 07:48:41 +10:00 |
|
sijanec
|
8efd6327ae
|
fix, as suggested by Ronald J Kimball
|
2020-02-22 21:59:36 +01:00 |
|
sijanec
|
07ac8b16c1
|
added support for src embedded image, ftp and relative urls
Those can't contain playloads. Reference to the issue #174
|
2020-02-09 00:24:43 +01:00 |
|
Zongmin Lei
|
9b85b8f2d6
|
reformat by prettier
|
2017-12-21 14:22:34 +08:00 |
|
Zongmin Lei
|
32a4bece31
|
translate all comments to English
|
2017-12-21 14:19:10 +08:00 |
|
Christian Schoeppler
|
2728bb88f7
|
added tel number handling for links
|
2017-11-24 13:57:30 +01:00 |
|
Zongmin Lei
|
857fa9de67
|
fix cssFilter, allow pass css=false to disable cssFilter
|
2016-11-06 11:06:02 +08:00 |
|
zTree
|
2e5f217c99
|
Update default.js
td / th 居然白名单里面没有 rowspan 属性,这个强烈建议加入到默认白名单的, 否则合并单元格 的 代码中 rowspan 会被直接干掉。
|
2016-05-05 12:33:01 +08:00 |
|
Zongmin Lei
|
9fa13afd66
|
add getDefaultWhiteList()
|
2015-12-23 12:33:46 +08:00 |
|
Zongmin Lei
|
ac93b2ef4b
|
修正 issue #41 href默认允许#开头
|
2015-12-01 22:11:03 +08:00 |
|
Zongmin Lei
|
b5902962ad
|
Fixed issue #36 safeAttrValue() check if cssFilter argument is undefined then use an default cssFilter
|
2015-07-30 12:00:08 +08:00 |
|
Zongmin Lei
|
994f1a7045
|
v0.2.0 使用cssfilter模块来过滤style属性
|
2015-05-05 22:50:56 +08:00 |
|
josephj
|
231458ea48
|
避免窜改 Array.prototype
|
2015-03-27 22:02:03 +11:00 |
|
Zongmin Lei
|
6249d4cf2a
|
过滤是通过设置stripBlankChar=true来过滤不可见字符
|
2015-01-22 14:20:55 +08:00 |
|
Zongmin Lei
|
97d0bdf516
|
自动清除不可见字符
|
2015-01-20 13:06:54 +08:00 |
|
Zongmin Lei
|
e71fce8974
|
fixed issue #25, ""e;" should be """
|
2014-12-06 16:25:35 +08:00 |
|
Zongmin Lei
|
bfbe23ddc1
|
href support "mailto:", fixed issue #24
|
2014-11-28 15:23:14 +08:00 |
|
island205
|
161f9510aa
|
fix stripCommentTag
|
2014-09-12 11:41:44 +08:00 |
|
David Pett
|
b9bd3e0ea2
|
added <sub> and <sup> to the whitelist
|
2014-09-05 13:18:00 -05:00 |
|
Zongmin Lei
|
a420d251f1
|
增加新的选项 allowCommentTag 来设置是否允许HTML备注标签,默认false
|
2014-04-03 11:47:21 +08:00 |
|
Zongmin Lei
|
fcabcf2137
|
默认白名单:增加排版相关的标签
|
2014-03-11 15:40:59 +08:00 |
|
Zongmin Lei
|
c1a8436521
|
默认白名单:修改代码顺序
|
2014-03-11 15:19:44 +08:00 |
|
Zongmin Lei
|
d512bd7643
|
修正:当启用stripIgnoreTagBody时,如果以要过滤的标签开头,会导致前面部分没正确删除[removed]标记
|
2014-03-03 18:21:39 +08:00 |
|
Zongmin Lei
|
d1a4521bfd
|
修正对style属性的过滤
|
2014-02-20 10:44:08 +08:00 |
|
Zongmin Lei
|
b358f9b163
|
增加 td.backgorund 过滤
|
2014-02-20 10:27:16 +08:00 |
|
Zongmin Lei
|
519f0ed944
|
href和src属性,如果被过滤则返回空值
|
2014-02-18 14:35:50 +08:00 |
|
Zongmin Lei
|
e2272386a1
|
默认href和src属性只运行 https, http, / 开头的地址
|
2014-02-18 14:27:27 +08:00 |
|
Zongmin Lei
|
c63f87b61f
|
test: stripIgnoreTagBody
|
2014-02-13 18:18:43 +08:00 |
|
Zongmin Lei
|
a6caa0ddcc
|
StripTagBody
|
2014-02-13 17:56:18 +08:00 |
|
Zongmin Lei
|
68c26f28b9
|
StripTagBodyList
|
2014-02-13 17:55:43 +08:00 |
|
Zongmin Lei
|
054aab29a2
|
test: stripIgnoreTag
|
2014-02-13 16:27:49 +08:00 |
|
Zongmin Lei
|
7fc9d3df3a
|
test: onTagAttr
|
2014-02-13 15:55:36 +08:00 |
|
Zongmin Lei
|
1a04d6d79e
|
通过基本的xss白名单测试
|
2014-02-13 14:58:36 +08:00 |
|
Zongmin Lei
|
2cb1cdb6c5
|
默认配置 未完成
|
2014-02-13 11:18:03 +08:00 |
|