thesmaw / caja-html-sanitizer Goto Github PK
View Code? Open in Web Editor NEWBundles Google Caja's HTML Sanitizer within a npm installable node.js module
Bundles Google Caja's HTML Sanitizer within a npm installable node.js module
Hi Ben
I needed the unescapeEntities method client-side and didn't want to include the rest of the lib in my app so I published it as a module
I don't know what you think about this, but thought it might be useful for you to know it exists
Cheers
What am I missing here?
I'm getting the following error:
ReferenceError: makeSaxParser is not defined
at Object. (/usr/local/lib/node/.npm/sanitizer/0.0.7/package/sanitizer.js:540:1)
at Module._compile (node.js:462:23)
at Module._loadScriptSync (node.js:469:10)
at Module.loadSync (node.js:338:12)
at loadModule (node.js:283:14)
at require (node.js:411:14)
at Object. (/usr/local/lib/node/sanitizer/index.js:8:18)
at Module._compile (node.js:462:23)
at Module._loadScriptSync (node.js:469:10)
at Module.loadSync (node.js:338:12)
Here's the relevant code...
var sanitizer = require('sanitizer');
app.post('/', function(req, res) {
var charsConv = sanitizer.escape(req.body.chars);
res.render('chars', {
locals: {
"charsConv": charsConv
}
});
});
Hey there!
I'd like to report a security issue but cannot find contact instructions on your repository.
If not a hassle, might you kindly add a SECURITY.md
file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.
Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
Latest commit allows support for tel, sms and geo URI:
https://github.com/google/caja/commits/master/src/com/google/caja/plugin/html-sanitizer.js
Cheers and thanks :)
Hello,
Single quotes should be escaped in attributes.
The following
sanitizer.escapeAttrib("Using a ' single quote");
produces Using a ' single quote
.
The expected result would be: Using a ' single quote
or Using a ' single quote
.
Thanks!
Two vulnerabilities have been found in Caja, and a patched version has been released.
In their words:
This is a complete breach of the Caja sandbox. All users should immediately upgrade to Caja v6008 or later.
Thanks for this module, it's very useful to have it wrapped up.
I see the sanitize() function is very conservative and strips a lot from the html. I'm wondering how to relax this a little so http/https urls can be included in href attributes in links, and src attributes in img tags.
I expect this is a common thing people might want to do, so having it documented would be helpful.
console.log(global)
// Output
Sanitizer:
{ escapeAttrib: [Function: escapeAttrib],
makeHtmlSanitizer: [Function: makeHtmlSanitizer],
makeSaxParser: [Function: makeSaxParser],
makeTagPolicy: [Function: makeTagPolicy],
normalizeRCData: [Function: normalizeRCData],
sanitizeAttribs: [Function: sanitizeAttribs],
sanitizeWithPolicy: [Function: sanitizeWithPolicy],
unescapeEntities: [Function: unescapeEntities],
escape: [Function: escapeAttrib],
sanitize: [Function],
Sanitizer: [Circular] } }
hey,
I just encountered the problem that a boolean false got converted to the string "false" using your sanitize function:
console.log(typeof(worldhit));
> boolean
console.log(typeof(sanitizer.sanitize(worldhit)));
> string
the value of the variable is false and since !!"false" === true in javascript, it is always interpreted as true.
Hi, one of the json request in our project contains a value something like {"test" : "<AAA"}. Sanitization fails here and it returns a wrong json object which cant be parsed.
Please look into this.
For example: request JSON is: {"fundsTransferCaptureInfo": {"requestFundsSource": {"requestSourceDepositTransactionAgreement": {"bankNum": "888","branchNum": "888", "accountNum": "0002345"}},"fundsTransferRecipientId": "<ddd","fundsDestinationCcyamt": {"amount": 2345.01,"currencyCd": "GBP"},"sourceCurrencyCd": "CAD","promoCode": "ABCDEFG","fundsTransferMethodTypeCd": "WIRE","fundsTransferServiceCd": "Digital Wire"}}
Santized String returned is :
{"fundsTransferCaptureInfo":{"requestFundsSource":{"requestSourc
eDepositTransactionAgreement":{"bankNum":"888","branchNum":"888","accountNum":"0
002345"}},"fundsTransferRecipientId":"
Which is not full JSON string and hence breaks the code. this is due to the field "fundsTransferRecipientId": "<ddd" in request.
It works well if there is a space between < and another char
"fundsTransferRecipientId": "< ddd", this will work well,
Sometimes my data will contain something like <apples>
which ends up getting sanitized. How can prevent sanitizer from doing this?
I saw this comment and wanted to point out that they could sanitize html.
http://news.ycombinator.com/reply?id=2200312&whence=item%3fid%3d2199901
After looking through the google code repo and having a hard time finding the html defs in javascript I came here. onerror was nowhere to be found in the definitions, though...is this a bug?
Stuff like this makes problems:
<p><a name="foo"/> This is the foo section.</p>
<p><a name="bar"/> This is the bar section.</p>
Sanitized result:
<p><a name="foo"> This is the foo section.
<p><a name="bar"> This is the bar section.</a></p></a></p>
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.