leizongmin / js-xss Goto Github PK

Would like to be able to whitelist <a href="mailto:"

I'm using the filter through js and just found an interesting error. It seems that the filter removes vertical-align property from td styles. Is there a reason for this or just a recommendation to use valign -property?

The code:

filterXSS( content,{
  whiteList: filterList,
  stripIgnoreTag: true,
  stripIgnoreTagBody: ['script']
});

var filterList: {
          ...
          table:  ['width', 'border', 'align', 'valign','style','class'],
          tbody:  ['align', 'valign','style','class'],
          td:     ['width', 'rowspan', 'colspan', 'align', 'valign','style','class'],
          tfoot:  ['align', 'valign','style','class'],
          th:     ['width', 'rowspan', 'colspan', 'align', 'valign','style','class'],
          thead:  ['align', 'valign','style','class'],
          tr:     ['rowspan', 'align', 'valign','style','class']
}

Has this package been reviewed by any security firm(s)? I looked through the README but couldn't find any information on the topic. I'm kind of surprised, given that this package has over 1,000 stars, it seems like it is widely used.

I've come across various NPM packages that escape strings, but I'm not sure which is the best to go with. Obviously there is no 100% guarantees in security, but this package seems promising for my use case.

I'd appreciate input from the maintainers or from other package users who are concerned with XSS.

Is there a way to parse links so that they include target="_blank" ?

http://zhuanlan.zhihu.com/wooyun/19756127

Previously on this commit the files lack dist folder: 7641196

This prevents the using of newest version by loading dist/xss.min.js into a project. Addin dist into that list will fix it.

针对标签style属性过滤，可配置允许某些CSS样式

Hi,

First of all, thank you for this nice library! Your library is the only one I could find that allows filtering on css.

However, I hoped it would filter out xss hacks in css by default, in particular the background: url(javascript:...) hack.

I now have added:

css: {
  onAttr(name, value) {
    if (value.toLowerCase().indexOf('javascript:') != -1) {
      return '';
    }
  },
},

to the options, which I think takes care of this.

I think you should add this filter by default or at least warn that your library doesn't catch this xss issue. Thank you!

The xss.js and xss.min.js file in dist folder actually returns FilterCSS.
Because there's two define in
https://github.com/leizongmin/js-xss/blob/master/dist%2Fxss.js#L447
and https://github.com/leizongmin/js-xss/blob/master/dist%2Fxss.js#L1432

I think it's better to split it to two files to make sure AMD works fine.

let options = {
        whiteList: {
          span: ['class'],
          code: ['class','codemark'],
          pre: ['class','style'],
          p:['class'],
          br: ['class']
},

这是我自己写的，虽然能正常运行，但是感觉不是最佳实践。求正确姿势。

现在是把不在白名单的TAG显示出来, 我不想显示怎么办?
所以最好有个设置,让用户选择显示还是隐藏/移除

• 增加选项用于指定是否过滤不合法的标签：1-过滤不合法的标签 | 2-将不合法的标签转义 | 3-指定函数来处理，默认为1
• 过滤 href 属性值采用白名单机制：1-允许http和https协议 | 2-指定支持的协议列表 | 3-指定函数来处理，默认为1
• 所有属性值都应该可以具体指定：标签名-属性名=>处理函数

Consider adding to bower?

http://bower.io/search/

我这里有些文本含有未闭合的a标签，导致其他的html内容都不能正确显示了……
试了试XSS，好像也不能识别出来。。。

Hi,

I get an error when I do $bower install xss
- The version specified in the bower.json of package xss mismatches the tag (0.1.12 vs 0.1.7)

Works fine when I try to get the previous version - 0.1.7

$bower install xss#0.1.7 // Works good

My use case is:

1. Allow iframe tags (and white listed attrs) if src is from youtube
2. Otherwise filter out the tag entirely

I can't find out how to achieve this using current callbacks. Seems you can either accept the tag or not.

有这么一个需求
外站头像链接
将来会放到img标签的src中
但是在让用户填写的时候这个链接只是普通字符串
xss不会处理其中的引号和<>

这样的情况比较复杂, 可能xss无法自动化的处理, 但是可以把相关的方法暴露出来让开发者自己调用

Steps to reproduce:

var options = {
        whiteList: {
          a: ['href', 'id', 'style'],
          em: [],
          span: ['id', 'tabindex'],
          strong: []
        }

and override the onTagAttr, like so:

        onTagAttr: function (tag, name, value, isWhiteAttr) {
            if (isWhiteAttr && xss.safeAttrValue(tag, name, value) === '') {
              grunt.log.error('%s: INVALID VALUE FOR ATTRIBUTE <%s %s="%s">', src, tag, name, value);
              hasErrors += 1;
              errorFound = true;
              return '';
            }
          }

run this over a html file with contents:
<a href='' style='color: #0095dd; text-decoration: none;'>Whatever text</a>

Expected Behaviour:

1. The xss module logs an error

Actual Behaviour:
Warning: Cannot call method 'process' of undefined Use --force to continue.

@pdehaan

Steps to reproduce

var xss = require('xss');
var options = {
  whiteList: {
    a: ['style']
  },
  css: {
    whiteList: {
      'color': true,
      'text-decoration': true
    }
  }
}
var html = "<a style = 'color: #0095dd; text-decoration: none;'>xss</a>";
var myxss = new xss.FilterXSS(options)
console.log(myxss.process(html))

Expected Behaviour:

The code is valid, and is not sanitized.

Actual behaviour:

The style value is completely removed, even though both color and text-decoration are valid.

If i remove the spaces between style and =, then it works as expected.

IE7下不支持 str[0] 这种方式读取字符串指定字符，需要更换为 str.charAt(0)

替换前需要测试一下在V8引擎下运行性能是否有影响。

如下：

'Cats & Dogs
'.replace(/[\u0000-\u001F]|\u007F/g, '')

把这句贴到 chrome console 里会出现以下报错：

原因是在 Dogs 后面，可以用鼠标移动看看，有一个宽度为 0 的不可见字符，用户拷贝了带这样字符的文本，通过表单提交到你的后台，通过 xss() 后没过滤掉，再存到到数据库，最后以 json 变量的形式输出到 html 中，就会因为解析出错而破坏整个 json 结构，从而造成 bug。

这种字符通过 xss 能过滤掉么？

https://github.com/leizongmin/js-xss/blob/master/lib/default.js - line 210

... this should be 'quot' and not 'quote'.

➜ cat test
<strong>hello</strong><script>alert(/xss/);</script>end
➜ cat config.js
var options = {
  whiteList: [],
  stripIgnoreTag: true
};
➜ xss -i test -c config.js
<strong>hello</strong>&lt;script&gt;alert(/xss/);&lt;/script&gt;end

不知道是否是我哪邊弄錯了？

你的这个 repo xss(imgSrc) 时，imgSrc 里面的这种代码https://a"onerror=alert('hello')> 要怎么过滤啊？

非常感谢能提供如此方便的工具，不过在使用的过程中遇到了一个问题：
我写了允许 <p> 标签上有 style 属性，但是结果是 style 属性里的 line-height 属性被过滤掉了。

看了下代码，我看到里面 css 的 xss 过滤用的是另外一个库叫 cssfilter，里面提供了配置 css 属性白名单的功能，但是在说明文档里面没有提到。

为了以后的人能少踩一个坑，建议能加上一点关于 css 的 xss 配置说明。

http://blog.segmentfault.com/barretlee/1190000000497596

<pre><code class="language-html">&lt;body&gt;foo&lt;/body&gt;</code></pre>

会被转义成

<pre><code class="language-html">&amp;lt;body&amp;gt;foo&amp;lt;/body&amp;gt;</code></pre>

怎样过滤字符串中指定 的字符，比如 + _ 这种

参考：http://drops.wooyun.org/tips/956

需要检查xss模块是否存在此问题。

如题。

用 老雷 提供的扩展接口，可以很好的实现自定义规则的处理， 我们已经取消了fork， 直接使用最新版本的源码了。 感谢！！

    var customFilter = (function () {
            var xss = new window.filterXSS.FilterXSS({
                safeAttrValue: function (tag, name, value) {
                    // 自定义过滤属性值函数，如果为a标签的href属性，则先判断是否以wiz://开头
                    if (tag === 'a' && name === 'href') {
                        if (value.substr(0, 6) === 'wiz://') {
                            return window.filterXSS.escapeAttrValue(value);
                        }
                    }
                    // 其他情况，使用默认的safeAttrValue处理函数
                    return window.filterXSS.safeAttrValue(tag, name, value);
                }
            });
            return function (html) {
                return xss.process(html);
            };

        })();


   // customFilter(htmlstr);

使用以下的opt:

var xssOpt = {
  whiteList:          [],        // 白名单为空，表示过滤所有标签
  stripIgnoreTag:     true,      // 过滤所有非白名单标签的HTML
  stripIgnoreTagBody: ['script'] // script标签较特殊，需要过滤标签中间的内容
};

调用xss(str, xssOpt)的时候，会报下面错误：

Notes: cannot use these two options "stripIgnoreTag" and "onIgnoreTag" at the same time

请问怎么解决。

js-xss 处理后变成了

<a href="" target="_blank">anchor</a>

计划增加新的选项 allowCommentTag 来设置是否允许HTML备注标签：

• true 表示允许
• false 表示删除，默认为 false

typeof xss(Number(42)) === "string";

will be true.

Thank you for your work

E:\node work\node-doc-cn-master>npm install xss
npm http GET https://registry.npmjs.org/xss
npm http 304 https://registry.npmjs.org/xss
npm http GET https://registry.npmjs.org/xss/-/xss-0.0.8.tgz
npm http 200 https://registry.npmjs.org/xss/-/xss-0.0.8.tgz
npm ERR! Error: ENOENT, open 'C:\Users\ADMINI~1\AppData\Local\Temp\npm-15224-vgC
KZxTd\1384148008965-0.5113850180059671\package:q'
npm ERR! If you need help, you may report this log at:
npm ERR! http://github.com/isaacs/npm/issues
npm ERR! or email it to:
npm ERR! [email protected]

npm ERR! System Windows_NT 6.1.7601
npm ERR! command "D:\nodist\bin\node.exe" "D:\nodist\bin\node_modules\n
pm\cli.js" "install" "xss"
npm ERR! cwd E:\node work\node-doc-cn-master
npm ERR! node -v v0.10.20
npm ERR! npm -v 1.3.11
npm ERR! path C:\Users\ADMINI~1\AppData\Local\Temp\npm-15224-vgCKZxTd\1384148008
965-0.5113850180059671\package:q
npm ERR! code ENOENT
npm ERR! errno 34
npm ERR!
npm ERR! Additional logging details can be found in:
npm ERR! E:\node work\node-doc-cn-master\npm-debug.log
npm ERR! not ok code 0

Hi,

I was reading https://www.npmjs.com/package/xss, and it said if I wanted to allow style tags. I would just need to run the following code

const myxss = new xss.FilterXSS({
  css: false,
});
html = myxss.process(innerText);

However, I can't get it to work. My inner text is

<table>
<thead>
<tr>
<th style="text-align:left"><strong>Left Column</strong></th>
<th style="text-align:right"></th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><strong>Left Value</strong></td>
<td style="text-align:right">Right Value</td>
</tr>
</tbody>
</table>

and instead what comes out is

<table>
<thead>
<tr>
<th><strong>Left Column</strong></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Left Value</strong></td>
<td>Right Value</td>
</tr>
</tbody>
</table>

Any guidance would be helpful. Thanks!

what if I want to make

balabala<img src="/test-img.png">xxx</img>balabala

to

balabala[img]balabala

Whenever I use whiteList option all html content is converted into encoded string instead of sample html.

I have used below string:

var source = '<p>Hotel Kadi Palace is located in the <strong>heart </strong>of the <strong>historic center of Florence </strong>'; var html = xss(source, { whiteList: ['href','target'] }); console.log(html);

So I just want to know whether it is functionality or minor bug, and what should I do to get plain html here.

It appears this module targets HTML input/output, I should always do

xss('<a href="' + url +'">')

instead of

<a href="xss(url)">link<a/>

right?

This also means I should always do json data -> template render -> xss filter -> append, instead of json data -> xss filter -> template render -> append right?

xss > 3 

会被转义成

xss &gt 3

是因为这里
parser.js:102

if (lastPos < html.length) {
    rethtml += escapeHtml(html.substr(lastPos));
  }

没有发现html标签是不应该转义啊

測試了幾次，才找出 config.js 的格式，建議加上一個範例檔案

var options = {
whiteList: [], // empty, means filter out all tags
stripIgnoreTag: true // filter out all HTML not in the whilelist
};

STR:

Run the xss module on the following contents:

Hesabı təsdiqlə:

Xətalı istək

Səhifə tapılmadı
Cuenta desconocida. <a href="javascript(1)" onclick="javascript:alert('hey')

Desconectado correctamente

La cuenta ya existe. <a href="/signin">Identifícate</a>

Expected Behavior:

• Error on finding xss vector (javascript) and/or cleaning that up

Actual behavior

• No errors or cleaning up.

More detailed examples at mozilla/fxa-content-server-l10n#63
@shane-tomlinson

导出应该是生效的属性, 而不是像现在这样导出的只是默认的whiteList和onTagAttr, 通过参数传入却不会改变导出的属性

var oldKeys = Object.keys(opts);
xss('test', opts);
var newKeys = Object.keys(opts);

oldKeys.length === newKeys.length

Re-using an opts which has stripIgnoreTag defined, will issue a warning:

Notes: cannot use these two options "stripIgnoreTag" and "onIgnoreTag" at the same time