leizongmin/js-xss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
431 Commits 1 Branch 0 Tags
bedb0c09dbfebcd85151c89e0cec1f9fd82b166a
Commit Graph

45 Commits

Author SHA1 Message Date
mdk000
bedb0c09db feat: single-quoted attribute value syntax support (#287) 2024-03-03 10:21:40 +08:00
Adam Zielinski
8884b21308 feat: Allow loading attribute on img (#278) 
Signed-off-by: maosmurf <github@maosmurf.com>
 2023-03-23 10:19:18 +08:00
LEI Zongmin
352ae5331f Revert "fix: comment has encoded (#257)" 
This reverts commit 9f6a37b34d.
 2022-06-06 23:59:59 +08:00
lumburr
9f6a37b34d fix: comment has encoded (#257) 2022-05-27 22:57:50 +08:00
lumburr
1e34b3de23 feat: add eslint:recommended check 2022-03-09 19:39:57 +08:00
Zongmin Lei
699acdea7d fix: #239 stripCommentTag DoS attack 2021-10-08 16:23:28 +08:00
Zongmin Lei
005098be59 feat: Add <strike> to default whitelist 2021-05-06 13:11:03 +08:00
Zongmin Lei
dcf1486845 feat: Add <audio crossorigin muted>, <video crossorigin muted playsinline poster> to default whitelist 2021-05-06 13:08:35 +08:00
老雷
f4c0b29c3f Merge pull request #220 from daraz999/patch-1 
Add <figure> and <figcaption> to default whitelist
 2021-05-06 12:53:28 +08:00
Zongmin Lei
2f5dd55ca0 fix: recover <summary> on the default whitelist 2021-05-06 12:47:47 +08:00
Darius Smaliukas
0024eefd42 Add <figure> and <figcaption> to default whitelist 
* Figure https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figure
* Figcaption https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figcaption

Most RSS feeds are using these tags to wrap around media content. I propose to add these tags to the default whitelist because they don't require any attribute and do not open any XSS vulnerability
 2021-02-19 17:08:18 +02:00
Tim Gates
cf5a36696a docs: Fix simple typo, doube -> double 
There is a small typo in dist/xss.js, lib/default.js.

Should read `double` rather than `doube`.
 2020-09-01 07:48:41 +10:00
sijanec
8efd6327ae fix, as suggested by Ronald J Kimball 2020-02-22 21:59:36 +01:00
sijanec
07ac8b16c1 added support for src embedded image, ftp and relative urls 
Those can't contain playloads. Reference to the issue #174
 2020-02-09 00:24:43 +01:00
Zongmin Lei
9b85b8f2d6 reformat by prettier 2017-12-21 14:22:34 +08:00
Zongmin Lei
32a4bece31 translate all comments to English 2017-12-21 14:19:10 +08:00
Christian Schoeppler
2728bb88f7 added tel number handling for links 2017-11-24 13:57:30 +01:00
Zongmin Lei
857fa9de67 fix cssFilter, allow pass css=false to disable cssFilter 2016-11-06 11:06:02 +08:00
zTree
2e5f217c99 Update default.js 
td / th 居然白名单里面没有 rowspan 属性,这个强烈建议加入到默认白名单的, 否则合并单元格 的 代码中 rowspan 会被直接干掉。
 2016-05-05 12:33:01 +08:00
Zongmin Lei
9fa13afd66 add getDefaultWhiteList() 2015-12-23 12:33:46 +08:00
Zongmin Lei
ac93b2ef4b 修正 issue #41 href默认允许#开头 2015-12-01 22:11:03 +08:00
Zongmin Lei
b5902962ad Fixed issue #36 safeAttrValue() check if cssFilter argument is undefined then use an default cssFilter 2015-07-30 12:00:08 +08:00
Zongmin Lei
994f1a7045 v0.2.0 使用cssfilter模块来过滤style属性 2015-05-05 22:50:56 +08:00
josephj
231458ea48 避免窜改 Array.prototype 2015-03-27 22:02:03 +11:00
Zongmin Lei
6249d4cf2a 过滤是通过设置stripBlankChar=true来过滤不可见字符 2015-01-22 14:20:55 +08:00
Zongmin Lei
97d0bdf516 自动清除不可见字符 2015-01-20 13:06:54 +08:00
Zongmin Lei
e71fce8974 fixed issue #25, "&quote;" should be "&quot;" 2014-12-06 16:25:35 +08:00
Zongmin Lei
bfbe23ddc1 href support "mailto:", fixed issue #24 2014-11-28 15:23:14 +08:00
island205
161f9510aa fix stripCommentTag 2014-09-12 11:41:44 +08:00
David Pett
b9bd3e0ea2 added <sub> and <sup> to the whitelist 2014-09-05 13:18:00 -05:00
Zongmin Lei
a420d251f1 增加新的选项 allowCommentTag 来设置是否允许HTML备注标签,默认false 2014-04-03 11:47:21 +08:00
Zongmin Lei
fcabcf2137 默认白名单:增加排版相关的标签 2014-03-11 15:40:59 +08:00
Zongmin Lei
c1a8436521 默认白名单:修改代码顺序 2014-03-11 15:19:44 +08:00
Zongmin Lei
d512bd7643 修正:当启用stripIgnoreTagBody时,如果以要过滤的标签开头,会导致前面部分没正确删除[removed]标记 2014-03-03 18:21:39 +08:00
Zongmin Lei
d1a4521bfd 修正对style属性的过滤 2014-02-20 10:44:08 +08:00
Zongmin Lei
b358f9b163 增加 td.backgorund 过滤 2014-02-20 10:27:16 +08:00
Zongmin Lei
519f0ed944 href和src属性,如果被过滤则返回空值 2014-02-18 14:35:50 +08:00
Zongmin Lei
e2272386a1 默认href和src属性只运行 https, http, / 开头的地址 2014-02-18 14:27:27 +08:00
Zongmin Lei
c63f87b61f test: stripIgnoreTagBody 2014-02-13 18:18:43 +08:00
Zongmin Lei
a6caa0ddcc StripTagBody 2014-02-13 17:56:18 +08:00
Zongmin Lei
68c26f28b9 StripTagBodyList 2014-02-13 17:55:43 +08:00
Zongmin Lei
054aab29a2 test: stripIgnoreTag 2014-02-13 16:27:49 +08:00
Zongmin Lei
7fc9d3df3a test: onTagAttr 2014-02-13 15:55:36 +08:00
Zongmin Lei
1a04d6d79e 通过基本的xss白名单测试 2014-02-13 14:58:36 +08:00
Zongmin Lei
2cb1cdb6c5 默认配置 未完成 2014-02-13 11:18:03 +08:00