thesmaw / caja-html-sanitizer Goto Github PK

Hi Ben

I needed the unescapeEntities method client-side and didn't want to include the rest of the lib in my app so I published it as a module

I don't know what you think about this, but thought it might be useful for you to know it exists

Cheers

What am I missing here?
I'm getting the following error:

ReferenceError: makeSaxParser is not defined
at Object. (/usr/local/lib/node/.npm/sanitizer/0.0.7/package/sanitizer.js:540:1)
at Module._compile (node.js:462:23)
at Module._loadScriptSync (node.js:469:10)
at Module.loadSync (node.js:338:12)
at loadModule (node.js:283:14)
at require (node.js:411:14)
at Object. (/usr/local/lib/node/sanitizer/index.js:8:18)
at Module._compile (node.js:462:23)
at Module._loadScriptSync (node.js:469:10)
at Module.loadSync (node.js:338:12)

Here's the relevant code...

var sanitizer = require('sanitizer');
app.post('/', function(req, res) {
var charsConv = sanitizer.escape(req.body.chars);
res.render('chars', {
locals: {
"charsConv": charsConv
}
});
});

Hey there!

I'd like to report a security issue but cannot find contact instructions on your repository.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

Latest commit allows support for tel, sms and geo URI:
https://github.com/google/caja/commits/master/src/com/google/caja/plugin/html-sanitizer.js
Cheers and thanks :)

Hello,

Single quotes should be escaped in attributes.

The following

sanitizer.escapeAttrib("Using a ' single quote");

produces Using a ' single quote.

The expected result would be: Using a ' single quote or Using a ' single quote.

Thanks!

Two vulnerabilities have been found in Caja, and a patched version has been released.

In their words:

This is a complete breach of the Caja sandbox. All users should immediately upgrade to Caja v6008 or later.

Thanks for this module, it's very useful to have it wrapped up.

I see the sanitize() function is very conservative and strips a lot from the html. I'm wondering how to relax this a little so http/https urls can be included in href attributes in links, and src attributes in img tags.

I expect this is a common thing people might want to do, so having it documented would be helpful.

hey,
I just encountered the problem that a boolean false got converted to the string "false" using your sanitize function:

console.log(typeof(worldhit));
> boolean
console.log(typeof(sanitizer.sanitize(worldhit)));
> string

the value of the variable is false and since !!"false" === true in javascript, it is always interpreted as true.

Hi, one of the json request in our project contains a value something like {"test" : "<AAA"}. Sanitization fails here and it returns a wrong json object which cant be parsed.

Please look into this.
For example: request JSON is: {"fundsTransferCaptureInfo": {"requestFundsSource": {"requestSourceDepositTransactionAgreement": {"bankNum": "888","branchNum": "888", "accountNum": "0002345"}},"fundsTransferRecipientId": "<ddd","fundsDestinationCcyamt": {"amount": 2345.01,"currencyCd": "GBP"},"sourceCurrencyCd": "CAD","promoCode": "ABCDEFG","fundsTransferMethodTypeCd": "WIRE","fundsTransferServiceCd": "Digital Wire"}}

Santized String returned is :
{"fundsTransferCaptureInfo":{"requestFundsSource":{"requestSourc
eDepositTransactionAgreement":{"bankNum":"888","branchNum":"888","accountNum":"0
002345"}},"fundsTransferRecipientId":"

Which is not full JSON string and hence breaks the code. this is due to the field "fundsTransferRecipientId": "<ddd" in request.

It works well if there is a space between < and another char
"fundsTransferRecipientId": "< ddd", this will work well,

Sometimes my data will contain something like <apples> which ends up getting sanitized. How can prevent sanitizer from doing this?

I saw this comment and wanted to point out that they could sanitize html.

http://news.ycombinator.com/reply?id=2200312&whence=item%3fid%3d2199901

After looking through the google code repo and having a hard time finding the html defs in javascript I came here. onerror was nowhere to be found in the definitions, though...is this a bug?

Stuff like this makes problems:

<p><a name="foo"/> This is the foo section.</p>
<p><a name="bar"/> This is the bar section.</p>

Sanitized result:

<p><a name="foo"> This is the foo section.
<p><a name="bar"> This is the bar section.</a></p></a></p>