leizongmin / js-xss Goto Github PK
View Code? Open in Web Editor NEWSanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
Home Page: http://jsxss.com
License: Other
Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
Home Page: http://jsxss.com
License: Other
Would like to be able to whitelist <a href="mailto:"
I'm using the filter through js and just found an interesting error. It seems that the filter removes vertical-align property from td styles. Is there a reason for this or just a recommendation to use valign -property?
The code:
filterXSS( content,{
whiteList: filterList,
stripIgnoreTag: true,
stripIgnoreTagBody: ['script']
});
var filterList: {
...
table: ['width', 'border', 'align', 'valign','style','class'],
tbody: ['align', 'valign','style','class'],
td: ['width', 'rowspan', 'colspan', 'align', 'valign','style','class'],
tfoot: ['align', 'valign','style','class'],
th: ['width', 'rowspan', 'colspan', 'align', 'valign','style','class'],
thead: ['align', 'valign','style','class'],
tr: ['rowspan', 'align', 'valign','style','class']
}
Has this package been reviewed by any security firm(s)? I looked through the README but couldn't find any information on the topic. I'm kind of surprised, given that this package has over 1,000 stars, it seems like it is widely used.
I've come across various NPM packages that escape strings, but I'm not sure which is the best to go with. Obviously there is no 100% guarantees in security, but this package seems promising for my use case.
I'd appreciate input from the maintainers or from other package users who are concerned with XSS.
Is there a way to parse links so that they include target="_blank"
?
Previously on this commit the files lack dist folder: 7641196
This prevents the using of newest version by loading dist/xss.min.js into a project. Addin dist into that list will fix it.
针对标签style属性过滤,可配置允许某些CSS样式
Hi,
First of all, thank you for this nice library! Your library is the only one I could find that allows filtering on css.
However, I hoped it would filter out xss hacks in css by default, in particular the background: url(javascript:...)
hack.
I now have added:
css: {
onAttr(name, value) {
if (value.toLowerCase().indexOf('javascript:') != -1) {
return '';
}
},
},
to the options, which I think takes care of this.
I think you should add this filter by default or at least warn that your library doesn't catch this xss issue. Thank you!
The xss.js and xss.min.js file in dist folder actually returns FilterCSS.
Because there's two define in
https://github.com/leizongmin/js-xss/blob/master/dist%2Fxss.js#L447
and https://github.com/leizongmin/js-xss/blob/master/dist%2Fxss.js#L1432
I think it's better to split it to two files to make sure AMD works fine.
let options = {
whiteList: {
span: ['class'],
code: ['class','codemark'],
pre: ['class','style'],
p:['class'],
br: ['class']
},
这是我自己写的,虽然能正常运行,但是感觉不是最佳实践。求正确姿势。
现在是把不在白名单的TAG显示出来, 我不想显示怎么办?
所以最好有个设置,让用户选择显示还是隐藏/移除
href
属性值采用白名单机制:1-允许http和https协议 | 2-指定支持的协议列表 | 3-指定函数来处理,默认为1Consider adding to bower?
Hi,
I get an error when I do $bower install xss
- The version specified in the bower.json of package xss mismatches the tag (0.1.12 vs 0.1.7)
Works fine when I try to get the previous version - 0.1.7
$bower install xss#0.1.7 // Works good
My use case is:
I can't find out how to achieve this using current callbacks. Seems you can either accept the tag or not.
有这么一个需求
外站头像链接
将来会放到img标签的src中
但是在让用户填写的时候这个链接只是普通字符串
xss不会处理其中的引号和<>
这样的情况比较复杂, 可能xss无法自动化的处理, 但是可以把相关的方法暴露出来让开发者自己调用
Steps to reproduce:
var options = {
whiteList: {
a: ['href', 'id', 'style'],
em: [],
span: ['id', 'tabindex'],
strong: []
}
and override the onTagAttr, like so:
onTagAttr: function (tag, name, value, isWhiteAttr) {
if (isWhiteAttr && xss.safeAttrValue(tag, name, value) === '') {
grunt.log.error('%s: INVALID VALUE FOR ATTRIBUTE <%s %s="%s">', src, tag, name, value);
hasErrors += 1;
errorFound = true;
return '';
}
}
run this over a html file with contents:
<a href='' style='color: #0095dd; text-decoration: none;'>Whatever text</a>
Expected Behaviour:
Actual Behaviour:
Warning: Cannot call method 'process' of undefined Use --force to continue.
var xss = require('xss');
var options = {
whiteList: {
a: ['style']
},
css: {
whiteList: {
'color': true,
'text-decoration': true
}
}
}
var html = "<a style = 'color: #0095dd; text-decoration: none;'>xss</a>";
var myxss = new xss.FilterXSS(options)
console.log(myxss.process(html))
The code is valid, and is not sanitized.
The style value is completely removed, even though both color and text-decoration are valid.
If i remove the spaces between style
and =
, then it works as expected.
IE7下不支持 str[0]
这种方式读取字符串指定字符,需要更换为 str.charAt(0)
替换前需要测试一下在V8引擎下运行性能是否有影响。
https://github.com/leizongmin/js-xss/blob/master/lib/default.js - line 210
... this should be 'quot' and not 'quote'.
➜ cat test
<strong>hello</strong><script>alert(/xss/);</script>end
➜ cat config.js
var options = {
whiteList: [],
stripIgnoreTag: true
};
➜ xss -i test -c config.js
<strong>hello</strong><script>alert(/xss/);</script>end
不知道是否是我哪邊弄錯了?
你的这个 repo xss(imgSrc)
时,imgSrc 里面的这种代码https://a"onerror=alert('hello')>
要怎么过滤啊?
非常感谢能提供如此方便的工具,不过在使用的过程中遇到了一个问题:
我写了允许 <p>
标签上有 style
属性,但是结果是 style
属性里的 line-height
属性被过滤掉了。
看了下代码,我看到里面 css 的 xss 过滤用的是另外一个库叫 cssfilter
,里面提供了配置 css 属性白名单的功能,但是在说明文档里面没有提到。
为了以后的人能少踩一个坑,建议能加上一点关于 css 的 xss 配置说明。
<pre><code class="language-html"><body>foo</body></code></pre>
会被转义成
<pre><code class="language-html">&lt;body&gt;foo&lt;/body&gt;</code></pre>
怎样过滤字符串中指定 的字符,比如 + _ 这种
参考:http://drops.wooyun.org/tips/956
需要检查xss模块是否存在此问题。
如题。
用 老雷 提供的扩展接口,可以很好的实现自定义规则的处理, 我们已经取消了fork, 直接使用最新版本的源码了。 感谢!!
var customFilter = (function () {
var xss = new window.filterXSS.FilterXSS({
safeAttrValue: function (tag, name, value) {
// 自定义过滤属性值函数,如果为a标签的href属性,则先判断是否以wiz://开头
if (tag === 'a' && name === 'href') {
if (value.substr(0, 6) === 'wiz://') {
return window.filterXSS.escapeAttrValue(value);
}
}
// 其他情况,使用默认的safeAttrValue处理函数
return window.filterXSS.safeAttrValue(tag, name, value);
}
});
return function (html) {
return xss.process(html);
};
})();
// customFilter(htmlstr);
使用以下的opt:
var xssOpt = {
whiteList: [], // 白名单为空,表示过滤所有标签
stripIgnoreTag: true, // 过滤所有非白名单标签的HTML
stripIgnoreTagBody: ['script'] // script标签较特殊,需要过滤标签中间的内容
};
调用xss(str, xssOpt)
的时候,会报下面错误:
Notes: cannot use these two options "stripIgnoreTag" and "onIgnoreTag" at the same time
请问怎么解决。
js-xss 处理后变成了
<a href="" target="_blank">anchor</a>
计划增加新的选项 allowCommentTag
来设置是否允许HTML备注标签:
true
表示允许false
表示删除,默认为 false
typeof xss(Number(42)) === "string";
will be true.
Thank you for your work
E:\node work\node-doc-cn-master>npm install xss
npm http GET https://registry.npmjs.org/xss
npm http 304 https://registry.npmjs.org/xss
npm http GET https://registry.npmjs.org/xss/-/xss-0.0.8.tgz
npm http 200 https://registry.npmjs.org/xss/-/xss-0.0.8.tgz
npm ERR! Error: ENOENT, open 'C:\Users\ADMINI~1\AppData\Local\Temp\npm-15224-vgC
KZxTd\1384148008965-0.5113850180059671\package:q'
npm ERR! If you need help, you may report this log at:
npm ERR! http://github.com/isaacs/npm/issues
npm ERR! or email it to:
npm ERR! [email protected]
npm ERR! System Windows_NT 6.1.7601
npm ERR! command "D:\nodist\bin\node.exe" "D:\nodist\bin\node_modules\n
pm\cli.js" "install" "xss"
npm ERR! cwd E:\node work\node-doc-cn-master
npm ERR! node -v v0.10.20
npm ERR! npm -v 1.3.11
npm ERR! path C:\Users\ADMINI~1\AppData\Local\Temp\npm-15224-vgCKZxTd\1384148008
965-0.5113850180059671\package:q
npm ERR! code ENOENT
npm ERR! errno 34
npm ERR!
npm ERR! Additional logging details can be found in:
npm ERR! E:\node work\node-doc-cn-master\npm-debug.log
npm ERR! not ok code 0
Hi,
I was reading https://www.npmjs.com/package/xss, and it said if I wanted to allow style tags. I would just need to run the following code
const myxss = new xss.FilterXSS({
css: false,
});
html = myxss.process(innerText);
However, I can't get it to work. My inner text is
<table>
<thead>
<tr>
<th style="text-align:left"><strong>Left Column</strong></th>
<th style="text-align:right"></th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><strong>Left Value</strong></td>
<td style="text-align:right">Right Value</td>
</tr>
</tbody>
</table>
and instead what comes out is
<table>
<thead>
<tr>
<th><strong>Left Column</strong></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Left Value</strong></td>
<td>Right Value</td>
</tr>
</tbody>
</table>
Any guidance would be helpful. Thanks!
what if I want to make
balabala<img src="/test-img.png">xxx</img>balabala
to
balabala[img]balabala
Whenever I use whiteList
option all html content is converted into encoded string instead of sample html.
I have used below string:
var source = '<p>Hotel Kadi Palace is located in the <strong>heart </strong>of the <strong>historic center of Florence </strong>'; var html = xss(source, { whiteList: ['href','target'] }); console.log(html);
So I just want to know whether it is functionality or minor bug, and what should I do to get plain html here.
It appears this module targets HTML input/output, I should always do
xss('<a href="' + url +'">')
instead of
<a href="xss(url)">link<a/>
right?
This also means I should always do json data -> template render -> xss filter -> append
, instead of json data -> xss filter -> template render -> append
right?
xss > 3
会被转义成
xss > 3
是因为这里
parser.js:102
if (lastPos < html.length) {
rethtml += escapeHtml(html.substr(lastPos));
}
没有发现html标签是不应该转义啊
測試了幾次,才找出 config.js 的格式,建議加上一個範例檔案
var options = {
whiteList: [], // empty, means filter out all tags
stripIgnoreTag: true // filter out all HTML not in the whilelist
};
Run the xss module on the following contents:
Hesabı təsdiqlə:
Xətalı istək
Səhifə tapılmadı
Cuenta desconocida. <a href="javascript(1)" onclick="javascript:alert('hey')
Desconectado correctamente
La cuenta ya existe. <a href="/signin">Identifícate</a>
More detailed examples at mozilla/fxa-content-server-l10n#63
@shane-tomlinson
导出应该是生效的属性, 而不是像现在这样导出的只是默认的whiteList和onTagAttr, 通过参数传入却不会改变导出的属性
var oldKeys = Object.keys(opts);
xss('test', opts);
var newKeys = Object.keys(opts);
oldKeys.length === newKeys.length
Re-using an opts which has stripIgnoreTag
defined, will issue a warning:
Notes: cannot use these two options "stripIgnoreTag" and "onIgnoreTag" at the same time
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.