├── .coveralls.yml
├── .eslintrc.js
├── .github
    ├── FUNDING.yml
    └── workflows
    │   ├── codeql-analysis.yml
    │   └── nodejs.yml
├── .gitignore
├── AUTHORS
├── CHANGELOG.md
├── LICENSE
├── README.md
├── README.zh.md
├── SECURITY.md
├── benchmark
    ├── file.html
    ├── index.js
    └── vs_validator.js
├── bin
    ├── bower_register.cmd
    ├── build
    └── xss
├── bower.json
├── dist
    ├── test.html
    ├── xss.js
    └── xss.min.js
├── example
    ├── allows_attr_prefix.js
    ├── allows_tag_prefix.js
    ├── analyse_img_list.js
    ├── strip_tag.js
    ├── web.html
    ├── webworker.html
    └── worker.js
├── lib
    ├── cli.js
    ├── default.js
    ├── index.js
    ├── parser.js
    ├── util.js
    └── xss.js
├── package.json
├── test
    ├── test_custom_method.js
    ├── test_default.js
    ├── test_html_parser.js
    └── test_xss.js
└── typings
    ├── tsconfig.json
    ├── xss-default-import.ts
    ├── xss-other-tests.ts
    ├── xss-tests.ts
    └── xss.d.ts


/.coveralls.yml:
--------------------------------------------------------------------------------
1 | service_name: travis-pro
2 | repo_token: 9WQeMOiEjFQQAG2FdKJYZdKuYKLszsjEA
3 | 


--------------------------------------------------------------------------------
/.eslintrc.js:
--------------------------------------------------------------------------------
 1 | module.exports = {
 2 |     "env": {
 3 |         "browser": true,
 4 |         "commonjs": true,
 5 |         "es2021": true,
 6 |         "node": true
 7 |     },
 8 |     "extends": "eslint:recommended",
 9 |     "parserOptions": {
10 |         "ecmaVersion": "latest"
11 |     },
12 |     "globals": {
13 |         "DedicatedWorkerGlobalScope": "readonly",
14 |     },
15 |     "rules": {
16 |         "no-unused-vars": ["error", { "vars": "all", "args": "none" }],
17 |     }
18 | }
19 | 


--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 | 
3 | github: leizongmin # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
4 | patreon: # Replace with a single Patreon username
5 | open_collective: leizongmin # Replace with a single Open Collective username
6 | ko_fi: # Replace with a single Ko-fi username
7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
8 | custom: # Replace with a single custom sponsorship URL
9 | 


--------------------------------------------------------------------------------
/.github/workflows/codeql-analysis.yml:
--------------------------------------------------------------------------------
 1 | name: "CodeQL"
 2 | 
 3 | on:
 4 |   push:
 5 |     branches: [master, ]
 6 |   pull_request:
 7 |     # The branches below must be a subset of the branches above
 8 |     branches: [master]
 9 |   schedule:
10 |     - cron: '0 2 * * 2'
11 | 
12 | jobs:
13 |   analyse:
14 |     name: Analyse
15 |     runs-on: ubuntu-latest
16 | 
17 |     steps:
18 |     - name: Checkout repository
19 |       uses: actions/checkout@v2
20 |       with:
21 |         # We must fetch at least the immediate parents so that if this is
22 |         # a pull request then we can checkout the head.
23 |         fetch-depth: 2
24 | 
25 |     # If this run was triggered by a pull request event, then checkout
26 |     # the head of the pull request instead of the merge commit.
27 |     - run: git checkout HEAD^2
28 |       if: ${{ github.event_name == 'pull_request' }}
29 | 
30 |     # Initializes the CodeQL tools for scanning.
31 |     - name: Initialize CodeQL
32 |       uses: github/codeql-action/init@v1
33 |       # Override language selection by uncommenting this and choosing your languages
34 |       # with:
35 |       #   languages: go, javascript, csharp, python, cpp, java
36 | 
37 |     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
38 |     # If this step fails, then you should remove it and run the build manually (see below)
39 |     - name: Autobuild
40 |       uses: github/codeql-action/autobuild@v1
41 | 
42 |     # ℹ️ Command-line programs to run using the OS shell.
43 |     # 📚 https://git.io/JvXDl
44 | 
45 |     # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
46 |     #    and modify them (or add more) to build your code if your project
47 |     #    uses a compiled language
48 | 
49 |     #- run: |
50 |     #   make bootstrap
51 |     #   make release
52 | 
53 |     - name: Perform CodeQL Analysis
54 |       uses: github/codeql-action/analyze@v1
55 | 


--------------------------------------------------------------------------------
/.github/workflows/nodejs.yml:
--------------------------------------------------------------------------------
 1 | name: Node.js CI
 2 | 
 3 | on:
 4 |   push:
 5 |     branches: [master]
 6 |   pull_request:
 7 |     branches: [master]
 8 | 
 9 | jobs:
10 |   build:
11 |     runs-on: ubuntu-latest
12 | 
13 |     strategy:
14 |       matrix:
15 |         node-version: [10.x, 12.x, 14.x, 16.x]
16 | 
17 |     steps:
18 |       - uses: actions/checkout@v2
19 |       - name: Use Node.js ${{ matrix.node-version }}
20 |         uses: actions/setup-node@v1
21 |         with:
22 |           node-version: ${{ matrix.node-version }}
23 |       - run: npm install
24 |       - run: npm run test-cov && npm run coveralls
25 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | lib-cov
 2 | *.seed
 3 | *.log
 4 | *.csv
 5 | *.dat
 6 | *.out
 7 | *.pid
 8 | *.gz
 9 | .idea
10 | 
11 | pids
12 | logs
13 | results
14 | 
15 | node_modules
16 | npm-debug.log
17 | 
18 | benchmark/result*.html
19 | 
20 | coverage.html
21 | .nyc_output
22 | coverage
23 | 
24 | package-lock.json
25 | 


--------------------------------------------------------------------------------
/AUTHORS:
--------------------------------------------------------------------------------
1 | Zongmin Lei <leizongmin@gmail.com> (http://ucdok.com)
2 | 


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
 1 | # CHANGELOG
 2 | 
 3 | ## v1.0.15 (2024-03-03)
 4 | 
 5 | - [feat: add `<kbd>` to default whitelist](https://github.com/leizongmin/js-xss/pull/279) by @rayrny
 6 | - [feat: single-quoted attribute value syntax support](https://github.com/leizongmin/js-xss/pull/287) by @mdk000
 7 | 
 8 | ## v1.0.14 (2022-08-16)
 9 | 
10 | - [fix: problem with not closed tag](https://github.com/leizongmin/js-xss/pull/262) by @slawiko
11 | - [fix: add allowList to types](https://github.com/leizongmin/js-xss/pull/261) by @metonym
12 | 
13 | ## v1.0.13 (2022-06-07)
14 | 
15 | - [revert: fix: comment has encoded](https://github.com/leizongmin/js-xss/pull/257)
16 | 
17 | ## v1.0.12 (2022-06-04)
18 | 
19 | - [feat: add eslint:recommended check](https://github.com/leizongmin/js-xss/pull/252) by @lumburr
20 | - [fix: comment has encoded](https://github.com/leizongmin/js-xss/pull/257) by @lumburr
21 | - [fix: whitelist match failure due to case ignoring](https://github.com/leizongmin/js-xss/pull/256) by @lumburr
22 | - [fix: class is wrong separated by attributes in method onTagAttr](https://github.com/leizongmin/js-xss/pull/253) by @lumburr
23 | 
24 | ## v1.0.11 (2022-03-06)
25 | 
26 | - [feat: add support for allowList as an alias for whiteList](https://github.com/leizongmin/js-xss/pull/249) by @schu34
27 | 
28 | ## v1.0.10 (2021-10-08)
29 | 
30 | - [Fix: #239 stripCommentTag DoS attack](https://github.com/leizongmin/js-xss/pull/239)
31 | 
32 | ## v1.0.9 (2021-05-06)
33 | 
34 | - [Fix whitespace bypass #218](https://github.com/leizongmin/js-xss/pull/218/files) by @TomAnthony
35 | - [Add `<summary>` to default whitelist #216](https://github.com/leizongmin/js-xss/pull/216) by @spacegaier
36 | - [Add `<figure>` and `<figcaption>` to default whitelist](https://github.com/leizongmin/js-xss/pull/220) by @daraz999
37 | - Add `<audio crossorigin muted>`, `<video crossorigin muted playsinline poster>` to default whitelist
38 | - Add `<strike>` to default whitelist
39 | - Fix: typings IWhiteList allow any tag name
40 | - Fix: typings `onTag` options
41 | 
42 | ## v1.0.8 (2020-07-27)
43 | 
44 | - [Allow default imports in TS #200](https://github.com/leizongmin/js-xss/pull/200) by @danvk
45 | - [Update handling of quoteStart to prevent sanitization bypass #201](https://github.com/leizongmin/js-xss/pull/201) by @TomAnthony
46 | 
47 | ## v1.0.7 (2020-06-08)
48 | 
49 | - [added support for src embedded image, ftp and relative urls](https://github.com/leizongmin/js-xss/pull/189) by @sijanec
50 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2012-2018 Zongmin Lei(雷宗民) <leizongmin@gmail.com>
 2 | http://ucdok.com
 3 | 
 4 | The MIT License
 5 | 
 6 | Permission is hereby granted, free of charge, to any person obtaining
 7 | a copy of this software and associated documentation files (the
 8 | "Software"), to deal in the Software without restriction, including
 9 | without limitation the rights to use, copy, modify, merge, publish,
10 | distribute, sublicense, and/or sell copies of the Software, and to
11 | permit persons to whom the Software is furnished to do so, subject to
12 | the following conditions:
13 | 
14 | The above copyright notice and this permission notice shall be
15 | included in all copies or substantial portions of the Software.
16 | 
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
21 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
22 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
23 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | [![NPM version][npm-image]][npm-url]
  2 | [![Node.js CI](https://github.com/leizongmin/js-xss/actions/workflows/nodejs.yml/badge.svg)](https://github.com/leizongmin/js-xss/actions/workflows/nodejs.yml)
  3 | [![Test coverage][coveralls-image]][coveralls-url]
  4 | [![David deps][david-image]][david-url]
  5 | [![node version][node-image]][node-url]
  6 | [![npm download][download-image]][download-url]
  7 | [![npm license][license-image]][download-url]
  8 | 
  9 | [npm-image]: https://img.shields.io/npm/v/xss.svg?style=flat-square
 10 | [npm-url]: https://npmjs.org/package/xss
 11 | [coveralls-image]: https://img.shields.io/coveralls/leizongmin/js-xss.svg?style=flat-square
 12 | [coveralls-url]: https://coveralls.io/r/leizongmin/js-xss?branch=master
 13 | [david-image]: https://img.shields.io/david/leizongmin/js-xss.svg?style=flat-square
 14 | [david-url]: https://david-dm.org/leizongmin/js-xss
 15 | [node-image]: https://img.shields.io/badge/node.js-%3E=_0.10-green.svg?style=flat-square
 16 | [node-url]: http://nodejs.org/download/
 17 | [download-image]: https://img.shields.io/npm/dm/xss.svg?style=flat-square
 18 | [download-url]: https://npmjs.org/package/xss
 19 | [license-image]: https://img.shields.io/npm/l/xss.svg
 20 | 
 21 | # Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist.
 22 | 
 23 | [![Greenkeeper badge](https://badges.greenkeeper.io/leizongmin/js-xss.svg)](https://greenkeeper.io/)
 24 | 
 25 | ![xss](https://nodei.co/npm/xss.png?downloads=true&stars=true)
 26 | 
 27 | ---
 28 | 
 29 | `xss` is a module used to filter input from users to prevent XSS attacks.
 30 | ([What is XSS attack?](http://en.wikipedia.org/wiki/Cross-site_scripting))
 31 | 
 32 | **Project Homepage:** http://jsxss.com
 33 | 
 34 | **Try Online:** http://jsxss.com/en/try.html
 35 | 
 36 | **[中文版文档](https://github.com/leizongmin/js-xss/blob/master/README.zh.md)**
 37 | 
 38 | ---
 39 | 
 40 | ## Features
 41 | 
 42 | - Specifies HTML tags and their attributes allowed with whitelist
 43 | - Handle any tags or attributes using custom function.
 44 | 
 45 | ## Reference
 46 | 
 47 | - [XSS Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
 48 | - [Data URI scheme](http://en.wikipedia.org/wiki/Data_URI_scheme)
 49 | - [XSS with Data URI Scheme](http://hi.baidu.com/badzzzz/item/bdbafe83144619c199255f7b)
 50 | 
 51 | ## Benchmark (for references only)
 52 | 
 53 | - the xss module: 22.53 MB/s
 54 | - `xss()` function from module `validator@0.3.7`: 6.9 MB/s
 55 | 
 56 | For test code please refer to `benchmark` directory.
 57 | 
 58 | ## They are using xss module
 59 | 
 60 | - **nodeclub** - A Node.js bbs using MongoDB - https://github.com/cnodejs/nodeclub
 61 | - **cnpmjs.org** - Private npm registry and web for Enterprise - https://github.com/cnpm/cnpmjs.org
 62 | - **cocalc.com** - Collaborative Calculation and Data Science - https://cocalc.com
 63 | 
 64 | ## Install
 65 | 
 66 | ### NPM
 67 | 
 68 | ```bash
 69 | npm install xss
 70 | ```
 71 | 
 72 | ### Bower
 73 | 
 74 | ```bash
 75 | bower install xss
 76 | ```
 77 | 
 78 | Or
 79 | 
 80 | ```bash
 81 | bower install https://github.com/leizongmin/js-xss.git
 82 | ```
 83 | 
 84 | ## Usages
 85 | 
 86 | ### On Node.js
 87 | 
 88 | ```javascript
 89 | var xss = require("xss");
 90 | var html = xss('<script>alert("xss");</script>');
 91 | console.log(html);
 92 | ```
 93 | 
 94 | ### On Browser
 95 | 
 96 | Shim mode (reference file `test/test.html`):
 97 | 
 98 | ```html
 99 | <script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
100 | <script>
101 |   // apply function filterXSS in the same way
102 |   var html = filterXSS('<script>alert("xss");</scr' + "ipt>");
103 |   alert(html);
104 | </script>
105 | ```
106 | 
107 | AMD mode - shim:
108 | 
109 | ```html
110 | <script>
111 |   require.config({
112 |     baseUrl: "./",
113 |     paths: {
114 |       xss: "https://rawgit.com/leizongmin/js-xss/master/dist/xss.js",
115 |     },
116 |     shim: {
117 |       xss: { exports: "filterXSS" },
118 |     },
119 |   });
120 |   require(["xss"], function (xss) {
121 |     var html = xss('<script>alert("xss");</scr' + "ipt>");
122 |     alert(html);
123 |   });
124 | </script>
125 | ```
126 | 
127 | **Notes: please don't use the URL https://rawgit.com/leizongmin/js-xss/master/dist/xss.js in production environment.**
128 | 
129 | ## Command Line Tool
130 | 
131 | ### Process File
132 | 
133 | You can use the xss command line tool to process a file. Usage:
134 | 
135 | ```bash
136 | xss -i <input_file> -o <output_file>
137 | ```
138 | 
139 | Example:
140 | 
141 | ```bash
142 | xss -i origin.html -o target.html
143 | ```
144 | 
145 | ### Active Test
146 | 
147 | Run the following command, them you can type HTML
148 | code in the command-line, and check the filtered output:
149 | 
150 | ```bash
151 | xss -t
152 | ```
153 | 
154 | For more details, please run `$ xss -h` to see it.
155 | 
156 | ## Custom filter rules
157 | 
158 | When using the `xss()` function, the second parameter could be used to specify
159 | custom rules:
160 | 
161 | ```javascript
162 | options = {}; // Custom rules
163 | html = xss('<script>alert("xss");</script>', options);
164 | ```
165 | 
166 | To avoid passing `options` every time, you can also do it in a faster way by
167 | creating a `FilterXSS` instance:
168 | 
169 | ```javascript
170 | options = {}; // Custom rules
171 | myxss = new xss.FilterXSS(options);
172 | // then apply myxss.process()
173 | html = myxss.process('<script>alert("xss");</script>');
174 | ```
175 | 
176 | Details of parameters in `options` would be described below.
177 | 
178 | ### Whitelist
179 | 
180 | By specifying a `whiteList`, e.g. `{ 'tagName': [ 'attr-1', 'attr-2' ] }`. Tags
181 | and attributes not in the whitelist would be filter out. For example:
182 | 
183 | ```javascript
184 | // only tag a and its attributes href, title, target are allowed
185 | var options = {
186 |   whiteList: {
187 |     a: ["href", "title", "target"],
188 |   },
189 | };
190 | // With the configuration specified above, the following HTML:
191 | // <a href="#" onclick="hello()"><i>Hello</i></a>
192 | // would become:
193 | // <a href="#">&lt;i&gt;Hello&lt;/i&gt;</a>
194 | ```
195 | 
196 | For the default whitelist, please refer `xss.whiteList`.
197 | 
198 | `allowList` is also supported, and has the same function as `whiteList`.
199 | 
200 | ### Customize the handler function for matched tags
201 | 
202 | By specifying the handler function with `onTag`:
203 | 
204 | ```javascript
205 | function onTag(tag, html, options) {
206 |   // tag is the name of current tag, e.g. 'a' for tag <a>
207 |   // html is the HTML of this tag, e.g. '<a>' for tag <a>
208 |   // options is some addition informations:
209 |   //   isWhite    boolean, whether the tag is in whitelist
210 |   //   isClosing  boolean, whether the tag is a closing tag, e.g. true for </a>
211 |   //   position        integer, the position of the tag in output result
212 |   //   sourcePosition  integer, the position of the tag in input HTML source
213 |   // If a string is returned, the current tag would be replaced with the string
214 |   // If return nothing, the default measure would be taken:
215 |   //   If in whitelist: filter attributes using onTagAttr, as described below
216 |   //   If not in whitelist: handle by onIgnoreTag, as described below
217 | }
218 | ```
219 | 
220 | ### Customize the handler function for attributes of matched tags
221 | 
222 | By specifying the handler function with `onTagAttr`:
223 | 
224 | ```javascript
225 | function onTagAttr(tag, name, value, isWhiteAttr) {
226 |   // tag is the name of current tag, e.g. 'a' for tag <a>
227 |   // name is the name of current attribute, e.g. 'href' for href="#"
228 |   // isWhiteAttr whether the attribute is in whitelist
229 |   // If a string is returned, the attribute would be replaced with the string
230 |   // If return nothing, the default measure would be taken:
231 |   //   If in whitelist: filter the value using safeAttrValue as described below
232 |   //   If not in whitelist: handle by onIgnoreTagAttr, as described below
233 | }
234 | ```
235 | 
236 | ### Customize the handler function for tags not in the whitelist
237 | 
238 | By specifying the handler function with `onIgnoreTag`:
239 | 
240 | ```javascript
241 | function onIgnoreTag(tag, html, options) {
242 |   // Parameters are the same with onTag
243 |   // If a string is returned, the tag would be replaced with the string
244 |   // If return nothing, the default measure would be taken (specifies using
245 |   // escape, as described below)
246 | }
247 | ```
248 | 
249 | ### Customize the handler function for attributes not in the whitelist
250 | 
251 | By specifying the handler function with `onIgnoreTagAttr`:
252 | 
253 | ```javascript
254 | function onIgnoreTagAttr(tag, name, value, isWhiteAttr) {
255 |   // Parameters are the same with onTagAttr
256 |   // If a string is returned, the value would be replaced with this string
257 |   // If return nothing, then keep default (remove the attribute)
258 | }
259 | ```
260 | 
261 | ### Customize escaping function for HTML
262 | 
263 | By specifying the handler function with `escapeHtml`. Following is the default
264 | function **(Modification is not recommended)**:
265 | 
266 | ```javascript
267 | function escapeHtml(html) {
268 |   return html.replace(/</g, "&lt;").replace(/>/g, "&gt;");
269 | }
270 | ```
271 | 
272 | ### Customize escaping function for value of attributes
273 | 
274 | By specifying the handler function with `safeAttrValue`:
275 | 
276 | ```javascript
277 | function safeAttrValue(tag, name, value) {
278 |   // Parameters are the same with onTagAttr (without options)
279 |   // Return the value as a string
280 | }
281 | ```
282 | 
283 | ### Customize output attribute value syntax for HTML
284 | 
285 | By specifying a `singleQuotedAttributeValue`. Use `true` for `'`. Otherwise default `"` will be used
286 | 
287 | ```javascript
288 | var options = {
289 |   singleQuotedAttributeValue: true,
290 | };
291 | // With the configuration specified above, the following HTML:
292 | // <a href="#">Hello</a>
293 | // would become:
294 | // <a href='#'>Hello</a>
295 | ```
296 | 
297 | ### Customize CSS filter
298 | 
299 | If you allow the attribute `style`, the value will be processed by [cssfilter](https://github.com/leizongmin/js-css-filter) module. The cssfilter module includes a default css whitelist. You can specify the options for cssfilter module like this:
300 | 
301 | ```javascript
302 | myxss = new xss.FilterXSS({
303 |   css: {
304 |     whiteList: {
305 |       position: /^fixed|relative$/,
306 |       top: true,
307 |       left: true,
308 |     },
309 |   },
310 | });
311 | html = myxss.process('<script>alert("xss");</script>');
312 | ```
313 | 
314 | If you don't want to filter out the `style` content, just specify `false` to the `css` option:
315 | 
316 | ```javascript
317 | myxss = new xss.FilterXSS({
318 |   css: false,
319 | });
320 | ```
321 | 
322 | For more help, please see https://github.com/leizongmin/js-css-filter
323 | 
324 | ### Quick Start
325 | 
326 | #### Filter out tags not in the whitelist
327 | 
328 | By using `stripIgnoreTag` parameter:
329 | 
330 | - `true` filter out tags not in the whitelist
331 | - `false`: by default: escape the tag using configured `escape` function
332 | 
333 | Example:
334 | 
335 | If `stripIgnoreTag = true` is set, the following code:
336 | 
337 | ```html
338 | code:
339 | <script>
340 |   alert(/xss/);
341 | </script>
342 | ```
343 | 
344 | would output filtered:
345 | 
346 | ```html
347 | code:alert(/xss/);
348 | ```
349 | 
350 | #### Filter out tags and tag bodies not in the whitelist
351 | 
352 | By using `stripIgnoreTagBody` parameter:
353 | 
354 | - `false|null|undefined` by default: do nothing
355 | - `'*'|true`: filter out all tags not in the whitelist
356 | - `['tag1', 'tag2']`: filter out only specified tags not in the whitelist
357 | 
358 | Example:
359 | 
360 | If `stripIgnoreTagBody = ['script']` is set, the following code:
361 | 
362 | ```html
363 | code:
364 | <script>
365 |   alert(/xss/);
366 | </script>
367 | ```
368 | 
369 | would output filtered:
370 | 
371 | ```html
372 | code:
373 | ```
374 | 
375 | #### Filter out HTML comments
376 | 
377 | By using `allowCommentTag` parameter:
378 | 
379 | - `true`: do nothing
380 | - `false` by default: filter out HTML comments
381 | 
382 | Example:
383 | 
384 | If `allowCommentTag = false` is set, the following code:
385 | 
386 | ```html
387 | code:<!-- something -->
388 | END
389 | ```
390 | 
391 | would output filtered:
392 | 
393 | ```html
394 | code: END
395 | ```
396 | 
397 | ## Examples
398 | 
399 | ### Allow attributes of whitelist tags start with `data-`
400 | 
401 | ```javascript
402 | var source = '<div a="1" b="2" data-a="3" data-b="4">hello</div>';
403 | var html = xss(source, {
404 |   onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
405 |     if (name.substr(0, 5) === "data-") {
406 |       // escape its value using built-in escapeAttrValue function
407 |       return name + '="' + xss.escapeAttrValue(value) + '"';
408 |     }
409 |   },
410 | });
411 | 
412 | console.log("%s\nconvert to:\n%s", source, html);
413 | ```
414 | 
415 | Result:
416 | 
417 | ```html
418 | <div a="1" b="2" data-a="3" data-b="4">hello</div>
419 | convert to:
420 | <div data-a="3" data-b="4">hello</div>
421 | ```
422 | 
423 | ### Allow tags start with `x-`
424 | 
425 | ```javascript
426 | var source = "<x><x-1>he<x-2 checked></x-2>wwww</x-1><a>";
427 | var html = xss(source, {
428 |   onIgnoreTag: function (tag, html, options) {
429 |     if (tag.substr(0, 2) === "x-") {
430 |       // do not filter its attributes
431 |       return html;
432 |     }
433 |   },
434 | });
435 | 
436 | console.log("%s\nconvert to:\n%s", source, html);
437 | ```
438 | 
439 | Result:
440 | 
441 | ```html
442 | <x
443 |   ><x-1>he<x-2 checked></x-2>wwww</x-1
444 |   ><a>
445 |     convert to: &lt;x&gt;<x-1>he<x-2 checked></x-2>wwww</x-1><a></a></a
446 | ></x>
447 | ```
448 | 
449 | ### Parse images in HTML
450 | 
451 | ```javascript
452 | var source =
453 |   '<img src="img1">a<img src="img2">b<img src="img3">c<img src="img4">d';
454 | var list = [];
455 | var html = xss(source, {
456 |   onTagAttr: function (tag, name, value, isWhiteAttr) {
457 |     if (tag === "img" && name === "src") {
458 |       // Use the built-in friendlyAttrValue function to escape attribute
459 |       // values. It supports converting entity tags such as &lt; to printable
460 |       // characters such as <
461 |       list.push(xss.friendlyAttrValue(value));
462 |     }
463 |     // Return nothing, means keep the default handling measure
464 |   },
465 | });
466 | 
467 | console.log("image list:\n%s", list.join(", "));
468 | ```
469 | 
470 | Result:
471 | 
472 | ```html
473 | image list: img1, img2, img3, img4
474 | ```
475 | 
476 | ### Filter out HTML tags (keeps only plain text)
477 | 
478 | ```javascript
479 | var source = "<strong>hello</strong><script>alert(/xss/);</script>end";
480 | var html = xss(source, {
481 |   whiteList: {}, // empty, means filter out all tags
482 |   stripIgnoreTag: true, // filter out all HTML not in the whitelist
483 |   stripIgnoreTagBody: ["script"], // the script tag is a special case, we need
484 |   // to filter out its content
485 | });
486 | 
487 | console.log("text: %s", html);
488 | ```
489 | 
490 | Result:
491 | 
492 | ```html
493 | text: helloend
494 | ```
495 | 
496 | ## License
497 | 
498 | ```text
499 | Copyright (c) 2012-2018 Zongmin Lei(雷宗民) <leizongmin@gmail.com>
500 | http://ucdok.com
501 | 
502 | The MIT License
503 | 
504 | Permission is hereby granted, free of charge, to any person obtaining
505 | a copy of this software and associated documentation files (the
506 | "Software"), to deal in the Software without restriction, including
507 | without limitation the rights to use, copy, modify, merge, publish,
508 | distribute, sublicense, and/or sell copies of the Software, and to
509 | permit persons to whom the Software is furnished to do so, subject to
510 | the following conditions:
511 | 
512 | The above copyright notice and this permission notice shall be
513 | included in all copies or substantial portions of the Software.
514 | 
515 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
516 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
517 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
518 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
519 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
520 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
521 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
522 | ```
523 | 


--------------------------------------------------------------------------------
/README.zh.md:
--------------------------------------------------------------------------------
  1 | [![NPM version][npm-image]][npm-url]
  2 | [![Node.js CI](https://github.com/leizongmin/js-xss/actions/workflows/nodejs.yml/badge.svg)](https://github.com/leizongmin/js-xss/actions/workflows/nodejs.yml)
  3 | [![Test coverage][coveralls-image]][coveralls-url]
  4 | [![David deps][david-image]][david-url]
  5 | [![node version][node-image]][node-url]
  6 | [![npm download][download-image]][download-url]
  7 | [![npm license][license-image]][download-url]
  8 | 
  9 | [npm-image]: https://img.shields.io/npm/v/xss.svg?style=flat-square
 10 | [npm-url]: https://npmjs.org/package/xss
 11 | [coveralls-image]: https://img.shields.io/coveralls/leizongmin/js-xss.svg?style=flat-square
 12 | [coveralls-url]: https://coveralls.io/r/leizongmin/js-xss?branch=master
 13 | [david-image]: https://img.shields.io/david/leizongmin/js-xss.svg?style=flat-square
 14 | [david-url]: https://david-dm.org/leizongmin/js-xss
 15 | [node-image]: https://img.shields.io/badge/node.js-%3E=_0.10-green.svg?style=flat-square
 16 | [node-url]: http://nodejs.org/download/
 17 | [download-image]: https://img.shields.io/npm/dm/xss.svg?style=flat-square
 18 | [download-url]: https://npmjs.org/package/xss
 19 | [license-image]: https://img.shields.io/npm/l/xss.svg
 20 | 
 21 | # 根据白名单过滤 HTML(防止 XSS 攻击)
 22 | 
 23 | ![xss](https://nodei.co/npm/xss.png?downloads=true&stars=true)
 24 | 
 25 | ---
 26 | 
 27 | `xss`是一个用于对用户输入的内容进行过滤，以避免遭受 XSS 攻击的模块（[什么是 XSS 攻击？](http://baike.baidu.com/view/2161269.htm)）。主要用于论坛、博客、网上商店等等一些可允许用户录入页面排版、格式控制相关的 HTML 的场景，`xss`模块通过白名单来控制允许的标签及相关的标签属性，另外还提供了一系列的接口以便用户扩展，比其他同类模块更为灵活。
 28 | 
 29 | **项目主页：** http://jsxss.com
 30 | 
 31 | **在线测试：** http://jsxss.com/zh/try.html
 32 | 
 33 | ---
 34 | 
 35 | ## 特性
 36 | 
 37 | - 白名单控制允许的 HTML 标签及各标签的属性
 38 | - 通过自定义处理函数，可对任意标签及其属性进行处理
 39 | 
 40 | ## 参考资料
 41 | 
 42 | - [XSS 与字符编码的那些事儿 ---科普文](http://drops.wooyun.org/tips/689)
 43 | - [腾讯实例教程：那些年我们一起学 XSS](http://www.wooyun.org/whitehats/%E5%BF%83%E4%BC%A4%E7%9A%84%E7%98%A6%E5%AD%90)
 44 | - [mXSS 攻击的成因及常见种类](http://drops.wooyun.org/tips/956)
 45 | - [XSS Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
 46 | - [Data URI scheme](http://en.wikipedia.org/wiki/Data_URI_scheme)
 47 | - [XSS with Data URI Scheme](http://hi.baidu.com/badzzzz/item/bdbafe83144619c199255f7b)
 48 | 
 49 | ## 性能（仅作参考）
 50 | 
 51 | - xss 模块：22.53 MB/s
 52 | - validator@0.3.7 模块的 xss()函数：6.9 MB/s
 53 | 
 54 | 测试代码参考 benchmark 目录
 55 | 
 56 | ## 安装
 57 | 
 58 | ### NPM
 59 | 
 60 | ```bash
 61 | npm install xss
 62 | ```
 63 | 
 64 | ### Bower
 65 | 
 66 | ```bash
 67 | bower install xss
 68 | ```
 69 | 
 70 | 或者
 71 | 
 72 | ```bash
 73 | bower install https://github.com/leizongmin/js-xss.git
 74 | ```
 75 | 
 76 | ## 使用方法
 77 | 
 78 | ### 在 Node.js 中使用
 79 | 
 80 | ```javascript
 81 | var xss = require("xss");
 82 | var html = xss('<script>alert("xss");</script>');
 83 | console.log(html);
 84 | ```
 85 | 
 86 | ### 在浏览器端使用
 87 | 
 88 | Shim 模式（参考文件 `test/test.html`）:
 89 | 
 90 | ```html
 91 | <script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
 92 | <script>
 93 |   // 使用函数名 filterXSS，用法一样
 94 |   var html = filterXSS('<script>alert("xss");</scr' + "ipt>");
 95 |   alert(html);
 96 | </script>
 97 | ```
 98 | 
 99 | AMD 模式（参考文件 `test/test_amd.html`）:
100 | 
101 | ```html
102 | <script>
103 |   require.config({
104 |     baseUrl: "./",
105 |     paths: {
106 |       xss: "https://rawgit.com/leizongmin/js-xss/master/dist/xss.js",
107 |     },
108 |     shim: {
109 |       xss: { exports: "filterXSS" },
110 |     },
111 |   });
112 |   require(["xss"], function (xss) {
113 |     var html = xss('<script>alert("xss");</scr' + "ipt>");
114 |     alert(html);
115 |   });
116 | </script>
117 | ```
118 | 
119 | **说明：请勿将 URL https://rawgit.com/leizongmin/js-xss/master/dist/xss.js 用于生产环境。**
120 | 
121 | ### 使用命令行工具来对文件进行 XSS 处理
122 | 
123 | ### 处理文件
124 | 
125 | 可通过内置的 `xss` 命令来对输入的文件进行 XSS 处理。使用方法：
126 | 
127 | ```bash
128 | xss -i <源文件> -o <目标文件>
129 | ```
130 | 
131 | 例：
132 | 
133 | ```bash
134 | xss -i origin.html -o target.html
135 | ```
136 | 
137 | ### 在线测试
138 | 
139 | 执行以下命令，可在命令行中输入 HTML 代码，并看到过滤后的代码：
140 | 
141 | ```bash
142 | xss -t
143 | ```
144 | 
145 | 详细命令行参数说明，请输入 `$ xss -h` 来查看。
146 | 
147 | ## 自定义过滤规则
148 | 
149 | 在调用 `xss()` 函数进行过滤时，可通过第二个参数来设置自定义规则：
150 | 
151 | ```javascript
152 | options = {}; // 自定义规则
153 | html = xss('<script>alert("xss");</script>', options);
154 | ```
155 | 
156 | 如果不想每次都传入一个 `options` 参数，可以创建一个 `FilterXSS` 实例（使用这种方法速度更快）：
157 | 
158 | ```
159 | options = {};  // 自定义规则
160 | myxss = new xss.FilterXSS(options);
161 | // 以后直接调用 myxss.process() 来处理即可
162 | html = myxss.process('<script>alert("xss");</script>');
163 | ```
164 | 
165 | `options` 参数的详细说明见下文。
166 | 
167 | ### 白名单
168 | 
169 | 通过 `whiteList` 来指定，格式为：`{'标签名': ['属性1', '属性2']}`。不在白名单上的标签将被过滤，不在白名单上的属性也会被过滤。以下是示例：
170 | 
171 | ```javascript
172 | // 只允许a标签，该标签只允许href, title, target这三个属性
173 | var options = {
174 |   whiteList: {
175 |     a: ["href", "title", "target"],
176 |   },
177 | };
178 | // 使用以上配置后，下面的HTML
179 | // <a href="#" onclick="hello()"><i>大家好</i></a>
180 | // 将被过滤为
181 | // <a href="#">大家好</a>
182 | ```
183 | 
184 | 默认白名单参考 `xss.whiteList`。
185 | 
186 | ### 自定义匹配到标签时的处理方法
187 | 
188 | 通过 `onTag` 来指定相应的处理函数。以下是详细说明：
189 | 
190 | ```javascript
191 | function onTag(tag, html, options) {
192 |   // tag是当前的标签名称，比如<a>标签，则tag的值是'a'
193 |   // html是该标签的HTML，比如<a>标签，则html的值是'<a>'
194 |   // options是一些附加的信息，具体如下：
195 |   //   isWhite    boolean类型，表示该标签是否在白名单上
196 |   //   isClosing  boolean类型，表示该标签是否为闭合标签，比如</a>时为true
197 |   //   position        integer类型，表示当前标签在输出的结果中的起始位置
198 |   //   sourcePosition  integer类型，表示当前标签在原HTML中的起始位置
199 |   // 如果返回一个字符串，则当前标签将被替换为该字符串
200 |   // 如果不返回任何值，则使用默认的处理方法：
201 |   //   在白名单上：  通过onTagAttr来过滤属性，详见下文
202 |   //   不在白名单上：通过onIgnoreTag指定，详见下文
203 | }
204 | ```
205 | 
206 | ### 自定义匹配到标签的属性时的处理方法
207 | 
208 | 通过 `onTagAttr` 来指定相应的处理函数。以下是详细说明：
209 | 
210 | ```javascript
211 | function onTagAttr(tag, name, value, isWhiteAttr) {
212 |   // tag是当前的标签名称，比如<a>标签，则tag的值是'a'
213 |   // name是当前属性的名称，比如href="#"，则name的值是'href'
214 |   // value是当前属性的值，比如href="#"，则value的值是'#'
215 |   // isWhiteAttr是否为白名单上的属性
216 |   // 如果返回一个字符串，则当前属性值将被替换为该字符串
217 |   // 如果不返回任何值，则使用默认的处理方法
218 |   //   在白名单上：  调用safeAttrValue来过滤属性值，并输出该属性，详见下文
219 |   //   不在白名单上：通过onIgnoreTagAttr指定，详见下文
220 | }
221 | ```
222 | 
223 | ### 自定义匹配到不在白名单上的标签时的处理方法
224 | 
225 | 通过 `onIgnoreTag` 来指定相应的处理函数。以下是详细说明：
226 | 
227 | ```javascript
228 | function onIgnoreTag(tag, html, options) {
229 |   // 参数说明与onTag相同
230 |   // 如果返回一个字符串，则当前标签将被替换为该字符串
231 |   // 如果不返回任何值，则使用默认的处理方法（通过escape指定，详见下文）
232 | }
233 | ```
234 | 
235 | ### 自定义匹配到不在白名单上的属性时的处理方法
236 | 
237 | 通过 `onIgnoreTagAttr` 来指定相应的处理函数。以下是详细说明：
238 | 
239 | ```javascript
240 | function onIgnoreTagAttr(tag, name, value, isWhiteAttr) {
241 |   // 参数说明与onTagAttr相同
242 |   // 如果返回一个字符串，则当前属性值将被替换为该字符串
243 |   // 如果不返回任何值，则使用默认的处理方法（删除该属性）
244 | }
245 | ```
246 | 
247 | ### 自定义 HTML 转义函数
248 | 
249 | 通过 `escapeHtml` 来指定相应的处理函数。以下是默认代码 **（不建议修改）** ：
250 | 
251 | ```javascript
252 | function escapeHtml(html) {
253 |   return html.replace(/</g, "&lt;").replace(/>/g, "&gt;");
254 | }
255 | ```
256 | 
257 | ### 自定义标签属性值的转义函数
258 | 
259 | 通过 `safeAttrValue` 来指定相应的处理函数。以下是详细说明：
260 | 
261 | ```javascript
262 | function safeAttrValue(tag, name, value) {
263 |   // 参数说明与onTagAttr相同（没有options参数）
264 |   // 返回一个字符串表示该属性值
265 | }
266 | ```
267 | 
268 | ### 自定义 CSS 过滤器
269 | 
270 | 如果配置中允许了标签的 `style` 属性，则它的值会通过[cssfilter](https://github.com/leizongmin/js-css-filter) 模块处理。
271 | `cssfilter` 模块包含了一个默认的 CSS 白名单，你可以通过以下的方式配置：
272 | 
273 | ```javascript
274 | myxss = new xss.FilterXSS({
275 |   css: {
276 |     whiteList: {
277 |       position: /^fixed|relative$/,
278 |       top: true,
279 |       left: true,
280 |     },
281 |   },
282 | });
283 | html = myxss.process('<script>alert("xss");</script>');
284 | ```
285 | 
286 | 如果不想使用 CSS 过滤器来处理 `style` 属性的内容，可指定 `css` 选项的值为 `false`：
287 | 
288 | ```javascript
289 | myxss = new xss.FilterXSS({
290 |   css: false,
291 | });
292 | ```
293 | 
294 | 要获取更多的帮助信息可看这里：https://github.com/leizongmin/js-css-filter
295 | 
296 | ### 快捷配置
297 | 
298 | #### 去掉不在白名单上的标签
299 | 
300 | 通过 `stripIgnoreTag` 来设置：
301 | 
302 | - `true`：去掉不在白名单上的标签
303 | - `false`：（默认），使用配置的`escape`函数对该标签进行转义
304 | 
305 | 示例：
306 | 
307 | 当设置 `stripIgnoreTag = true`时，以下代码
308 | 
309 | ```html
310 | code:
311 | <script>
312 |   alert(/xss/);
313 | </script>
314 | ```
315 | 
316 | 过滤后将输出
317 | 
318 | ```html
319 | code:alert(/xss/);
320 | ```
321 | 
322 | #### 去掉不在白名单上的标签及标签体
323 | 
324 | 通过 `stripIgnoreTagBody` 来设置：
325 | 
326 | - `false|null|undefined`：（默认），不特殊处理
327 | - `'*'|true`：去掉所有不在白名单上的标签
328 | - `['tag1', 'tag2']`：仅去掉指定的不在白名单上的标签
329 | 
330 | 示例：
331 | 
332 | 当设置 `stripIgnoreTagBody = ['script']`时，以下代码
333 | 
334 | ```html
335 | code:
336 | <script>
337 |   alert(/xss/);
338 | </script>
339 | ```
340 | 
341 | 过滤后将输出
342 | 
343 | ```html
344 | code:
345 | ```
346 | 
347 | #### 去掉 HTML 备注
348 | 
349 | 通过 `allowCommentTag` 来设置：
350 | 
351 | - `true`：不处理
352 | - `false`：（默认），自动去掉 HTML 中的备注
353 | 
354 | 示例：
355 | 
356 | 当设置 `allowCommentTag = false` 时，以下代码
357 | 
358 | ```html
359 | code:<!-- something -->
360 | END
361 | ```
362 | 
363 | 过滤后将输出
364 | 
365 | ```html
366 | code: END
367 | ```
368 | 
369 | ## 应用实例
370 | 
371 | ### 允许标签以 data-开头的属性
372 | 
373 | ```javascript
374 | var source = '<div a="1" b="2" data-a="3" data-b="4">hello</div>';
375 | var html = xss(source, {
376 |   onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
377 |     if (name.substr(0, 5) === "data-") {
378 |       // 通过内置的escapeAttrValue函数来对属性值进行转义
379 |       return name + '="' + xss.escapeAttrValue(value) + '"';
380 |     }
381 |   },
382 | });
383 | 
384 | console.log("%s\nconvert to:\n%s", source, html);
385 | ```
386 | 
387 | 运行结果：
388 | 
389 | ```html
390 | <div a="1" b="2" data-a="3" data-b="4">hello</div>
391 | convert to:
392 | <div data-a="3" data-b="4">hello</div>
393 | ```
394 | 
395 | ### 允许名称以 x-开头的标签
396 | 
397 | ```javascript
398 | var source = "<x><x-1>he<x-2 checked></x-2>wwww</x-1><a>";
399 | var html = xss(source, {
400 |   onIgnoreTag: function (tag, html, options) {
401 |     if (tag.substr(0, 2) === "x-") {
402 |       // 不对其属性列表进行过滤
403 |       return html;
404 |     }
405 |   },
406 | });
407 | 
408 | console.log("%s\nconvert to:\n%s", source, html);
409 | ```
410 | 
411 | 运行结果：
412 | 
413 | ```html
414 | <x
415 |   ><x-1>he<x-2 checked></x-2>wwww</x-1
416 |   ><a>
417 |     convert to: &lt;x&gt;<x-1>he<x-2 checked></x-2>wwww</x-1><a></a></a
418 | ></x>
419 | ```
420 | 
421 | ### 分析 HTML 代码中的图片列表
422 | 
423 | ```javascript
424 | var source =
425 |   '<img src="img1">a<img src="img2">b<img src="img3">c<img src="img4">d';
426 | var list = [];
427 | var html = xss(source, {
428 |   onTagAttr: function (tag, name, value, isWhiteAttr) {
429 |     if (tag === "img" && name === "src") {
430 |       // 使用内置的friendlyAttrValue函数来对属性值进行转义，可将&lt;这类的实体标记转换成打印字符<
431 |       list.push(xss.friendlyAttrValue(value));
432 |     }
433 |     // 不返回任何值，表示还是按照默认的方法处理
434 |   },
435 | });
436 | 
437 | console.log("image list:\n%s", list.join(", "));
438 | ```
439 | 
440 | 运行结果：
441 | 
442 | ```html
443 | image list: img1, img2, img3, img4
444 | ```
445 | 
446 | ### 去除 HTML 标签（只保留文本内容）
447 | 
448 | ```javascript
449 | var source = "<strong>hello</strong><script>alert(/xss/);</script>end";
450 | var html = xss(source, {
451 |   whiteList: {}, // 白名单为空，表示过滤所有标签
452 |   stripIgnoreTag: true, // 过滤所有非白名单标签的HTML
453 |   stripIgnoreTagBody: ["script"], // script标签较特殊，需要过滤标签中间的内容
454 | });
455 | 
456 | console.log("text: %s", html);
457 | ```
458 | 
459 | 运行结果：
460 | 
461 | ```html
462 | text: helloend
463 | ```
464 | 
465 | ## 授权协议
466 | 
467 | ```text
468 | Copyright (c) 2012-2018 Zongmin Lei(雷宗民) <leizongmin@gmail.com>
469 | http://ucdok.com
470 | 
471 | The MIT License
472 | 
473 | Permission is hereby granted, free of charge, to any person obtaining
474 | a copy of this software and associated documentation files (the
475 | "Software"), to deal in the Software without restriction, including
476 | without limitation the rights to use, copy, modify, merge, publish,
477 | distribute, sublicense, and/or sell copies of the Software, and to
478 | permit persons to whom the Software is furnished to do so, subject to
479 | the following conditions:
480 | 
481 | The above copyright notice and this permission notice shall be
482 | included in all copies or substantial portions of the Software.
483 | 
484 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
485 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
486 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
487 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
488 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
489 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
490 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
491 | ```
492 | 


--------------------------------------------------------------------------------
/SECURITY.md:
--------------------------------------------------------------------------------
 1 | # Security Policy
 2 | 
 3 | ## Supported Versions
 4 | 
 5 | | Version | Supported          |
 6 | | ------- | ------------------ |
 7 | | 1.0.x   | :white_check_mark: |
 8 | | < 1.0.0   | :x:                |
 9 | 
10 | ## Reporting a Vulnerability
11 | 
12 | Feel free to send me an E-mail: leizongmin+xss@gmail.com
13 | 


--------------------------------------------------------------------------------
/benchmark/index.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * 性能测试
 3 |  */
 4 | 
 5 | var xss = require('../');
 6 | var fs = require('fs');
 7 | 
 8 | 
 9 | // 读取样例
10 | var html = fs.readFileSync(__dirname + '/file.html', 'utf8');
11 | var COUNT = 200;
12 | var ret = '';
13 | 
14 | 
15 | var timeStart = Date.now();
16 | for (var i = 0; i < COUNT; i++) {
17 |   ret = xss(html);
18 | }
19 | var timeEnd = Date.now();
20 | var spent = timeEnd - timeStart;
21 | var speed = (((html.length * i) / spent * 1000) / 1024 / 1024).toFixed(2);
22 | console.log('xss(): spent ' + spent + 'ms, ' + speed + 'MB/s');
23 | 
24 | 
25 | var x = new xss.FilterXSS();
26 | var timeStart = Date.now();
27 | for (var i = 0; i < COUNT; i++) {
28 |   ret = x.process(html);
29 | }
30 | var timeEnd = Date.now();
31 | var spent = timeEnd - timeStart;
32 | var speed = (((html.length * i) / spent * 1000) / 1024 / 1024).toFixed(2);
33 | console.log('xss.process(): spent ' + spent + 'ms, ' + speed + 'MB/s');
34 | 
35 | 
36 | var x = new xss.FilterXSS();
37 | var process = x.process.bind(x);
38 | var timeStart = Date.now();
39 | for (var i = 0; i < COUNT; i++) {
40 |   ret = process(html);
41 | }
42 | var timeEnd = Date.now();
43 | var spent = timeEnd - timeStart;
44 | var speed = (((html.length * i) / spent * 1000) / 1024 / 1024).toFixed(2);
45 | console.log('xss.process() #2: spent ' + spent + 'ms, ' + speed + 'MB/s');
46 | 
47 | 
48 | // 保存结果
49 | //console.log(ret);
50 | fs.writeFileSync(__dirname + '/result.html', ret);
51 | 


--------------------------------------------------------------------------------
/benchmark/vs_validator.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * 性能测试 validator模块
 3 |  */
 4 | 
 5 | var sanitize = require('validator').sanitize;
 6 | var fs = require('fs');
 7 | 
 8 | 
 9 | var html = fs.readFileSync(__dirname + '/file.html', 'utf8');
10 | 
11 | 
12 | var timeStart = Date.now();
13 | for (var i = 0; i < 200; i++) {
14 |   var ret = sanitize(html).xss();
15 | }
16 | var timeEnd = Date.now();
17 | 
18 | 
19 | //console.log(ret);
20 | fs.writeFileSync(__dirname + '/result_validator.html', ret);
21 | 
22 | var spent = timeEnd - timeStart;
23 | var speed = (((html.length * i) / spent * 1000) / 1024 / 1024).toFixed(2);
24 | console.log('spent ' + spent + 'ms, ' + speed + 'MB/s');


--------------------------------------------------------------------------------
/bin/bower_register.cmd:
--------------------------------------------------------------------------------
1 | bower register xss git@github.com:leizongmin/js-xss.git
2 | 


--------------------------------------------------------------------------------
/bin/build:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | dist_dir="dist";
 4 | entrance_file=lib/index.js
 5 | output_file=$dist_dir/xss.js
 6 | output_mini_file=$dist_dir/xss.min.js
 7 | 
 8 | mkdir $dist_dir
 9 | 
10 | echo "browserify..."
11 | node ./node_modules/browserify/bin/cmd.js $entrance_file > $output_file
12 | echo "output $output_file"
13 | 
14 | echo "minify..."
15 | node ./node_modules/uglify-js/bin/uglifyjs $output_file -o $output_mini_file
16 | echo "output $output_mini_file"
17 | 
18 | echo "done."
19 | 


--------------------------------------------------------------------------------
/bin/xss:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env node
 2 | 
 3 | /**
 4 |  * 命令行工具
 5 |  *
 6 |  * @author Zongmin Lei<leizongmin@gmail.com>
 7 |  */
 8 | 
 9 | var fs = require('fs');
10 | var path = require('path');
11 | var program = require('commander');
12 | var xss = require('../');
13 | var packageInfo = require('../package.json');
14 | 
15 | program
16 |   .version(packageInfo.version)
17 |   .option('-t, --test', 'active test')
18 |   .option('-i, --input <input_file>', 'input file name')
19 |   .option('-o, --output <output_file>', 'output filename')
20 |   .option('-c, --config <config_file>', 'load custom config')
21 |   .option('-s, --strip-ignore-tag', 'set stripIgnoreTag=true')
22 |   .option('-b, --strip-ignore-tag-body', 'set stripIgnoreTagBody=true');
23 | 
24 | program.on('--help', function () {
25 |   console.log('  Examples:');
26 |   console.log('');
27 |   console.log('    $ xss -t');
28 |   console.log('    $ xss -i origin.html');
29 |   console.log('    $ xss -i origin.html -o targer.html');
30 |   console.log('    $ xss -i origin.html -c config.js');
31 |   console.log('    $ xss -i origin.html -s');
32 |   console.log('    $ xss -i origin.html -s -b');
33 |   console.log('');
34 |   console.log('  For more details, please see: https://npmjs.org/package/xss')
35 | });
36 | 
37 | program.parse(process.argv);
38 | 
39 | if (program.test) {
40 |   require('../lib/cli');
41 |   return;
42 | }
43 | 
44 | var config = {};
45 | if (program.config) {
46 |   config = require(path.resolve(program.config));
47 | }
48 | if (program.input) {
49 |   var input = fs.readFileSync(program.input, 'utf8');
50 | } else {
51 |   program.help();
52 | }
53 | 
54 | if (program['strip-ignore-tag']) {
55 |   config.stripIgnoreTag = true;
56 | }
57 | if (program['strip-ignore-tag-body']) {
58 |   config.stripIgnoreTagBody = true;
59 | }
60 | 
61 | var output = xss(input, config);
62 | 
63 | if (program.output) {
64 |   fs.writeFileSync(program.output, output);
65 | } else {
66 |   console.log(output);
67 | }
68 | 


--------------------------------------------------------------------------------
/bower.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "xss",
 3 |   "version": "1.0.8",
 4 |   "homepage": "https://github.com/leizongmin/js-xss",
 5 |   "authors": [
 6 |     "Zongmin Lei <leizongmin@gmail.com>"
 7 |   ],
 8 |   "description": "Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist",
 9 |   "main": "dist/xss.js",
10 |   "moduleType": [
11 |     "globals",
12 |     "node",
13 |     "amd"
14 |   ],
15 |   "keywords": [
16 |     "sanitization",
17 |     "xss",
18 |     "sanitize",
19 |     "sanitisation",
20 |     "input",
21 |     "security",
22 |     "escape",
23 |     "encode",
24 |     "filter",
25 |     "validator",
26 |     "html",
27 |     "injection",
28 |     "whitelist"
29 |   ],
30 |   "license": "MIT",
31 |   "ignore": [
32 |     "**/.*",
33 |     "node_modules",
34 |     "bower_components",
35 |     "test",
36 |     "tests",
37 |     "benchmark",
38 |     "bin",
39 |     "example",
40 |     "build.cmd",
41 |     "bower_register.cmd",
42 |     "coverage.html"
43 |   ]
44 | }
45 | 


--------------------------------------------------------------------------------
/dist/test.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html>
 3 | <head>
 4 |   <title>测试</title>
 5 |   <meta charset="utf8">
 6 | </head>
 7 | <body>
 8 |   <pre id="result"></pre>
 9 | </body>
10 | </html>
11 | <script src="xss.js"></script>
12 | <script>
13 | var code = '<script>alert("xss");</' + 'script>';
14 | document.querySelector('#result').innerText = code + '\n被转换成了\n' + filterXSS(code);
15 | </script>


--------------------------------------------------------------------------------
/dist/xss.js:
--------------------------------------------------------------------------------
   1 | (function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i]){var c="function"==typeof require&&require;if(!f&&c)return c(i,!0);if(u)return u(i,!0);var a=new Error("Cannot find module '"+i+"'");throw a.code="MODULE_NOT_FOUND",a}var p=n[i]={exports:{}};e[i][0].call(p.exports,function(r){var n=e[i][1][r];return o(n||r)},p,p.exports,r,e,n,t)}return n[i].exports}for(var u="function"==typeof require&&require,i=0;i<t.length;i++)o(t[i]);return o}return r})()({1:[function(require,module,exports){
   2 | /**
   3 |  * default settings
   4 |  *
   5 |  * @author Zongmin Lei<leizongmin@gmail.com>
   6 |  */
   7 | 
   8 | var FilterCSS = require("cssfilter").FilterCSS;
   9 | var getDefaultCSSWhiteList = require("cssfilter").getDefaultWhiteList;
  10 | var _ = require("./util");
  11 | 
  12 | function getDefaultWhiteList() {
  13 |   return {
  14 |     a: ["target", "href", "title"],
  15 |     abbr: ["title"],
  16 |     address: [],
  17 |     area: ["shape", "coords", "href", "alt"],
  18 |     article: [],
  19 |     aside: [],
  20 |     audio: [
  21 |       "autoplay",
  22 |       "controls",
  23 |       "crossorigin",
  24 |       "loop",
  25 |       "muted",
  26 |       "preload",
  27 |       "src",
  28 |     ],
  29 |     b: [],
  30 |     bdi: ["dir"],
  31 |     bdo: ["dir"],
  32 |     big: [],
  33 |     blockquote: ["cite"],
  34 |     br: [],
  35 |     caption: [],
  36 |     center: [],
  37 |     cite: [],
  38 |     code: [],
  39 |     col: ["align", "valign", "span", "width"],
  40 |     colgroup: ["align", "valign", "span", "width"],
  41 |     dd: [],
  42 |     del: ["datetime"],
  43 |     details: ["open"],
  44 |     div: [],
  45 |     dl: [],
  46 |     dt: [],
  47 |     em: [],
  48 |     figcaption: [],
  49 |     figure: [],
  50 |     font: ["color", "size", "face"],
  51 |     footer: [],
  52 |     h1: [],
  53 |     h2: [],
  54 |     h3: [],
  55 |     h4: [],
  56 |     h5: [],
  57 |     h6: [],
  58 |     header: [],
  59 |     hr: [],
  60 |     i: [],
  61 |     img: ["src", "alt", "title", "width", "height", "loading"],
  62 |     ins: ["datetime"],
  63 |     kbd: [],
  64 |     li: [],
  65 |     mark: [],
  66 |     nav: [],
  67 |     ol: [],
  68 |     p: [],
  69 |     pre: [],
  70 |     s: [],
  71 |     section: [],
  72 |     small: [],
  73 |     span: [],
  74 |     sub: [],
  75 |     summary: [],
  76 |     sup: [],
  77 |     strong: [],
  78 |     strike: [],
  79 |     table: ["width", "border", "align", "valign"],
  80 |     tbody: ["align", "valign"],
  81 |     td: ["width", "rowspan", "colspan", "align", "valign"],
  82 |     tfoot: ["align", "valign"],
  83 |     th: ["width", "rowspan", "colspan", "align", "valign"],
  84 |     thead: ["align", "valign"],
  85 |     tr: ["rowspan", "align", "valign"],
  86 |     tt: [],
  87 |     u: [],
  88 |     ul: [],
  89 |     video: [
  90 |       "autoplay",
  91 |       "controls",
  92 |       "crossorigin",
  93 |       "loop",
  94 |       "muted",
  95 |       "playsinline",
  96 |       "poster",
  97 |       "preload",
  98 |       "src",
  99 |       "height",
 100 |       "width",
 101 |     ],
 102 |   };
 103 | }
 104 | 
 105 | var defaultCSSFilter = new FilterCSS();
 106 | 
 107 | /**
 108 |  * default onTag function
 109 |  *
 110 |  * @param {String} tag
 111 |  * @param {String} html
 112 |  * @param {Object} options
 113 |  * @return {String}
 114 |  */
 115 | function onTag(tag, html, options) {
 116 |   // do nothing
 117 | }
 118 | 
 119 | /**
 120 |  * default onIgnoreTag function
 121 |  *
 122 |  * @param {String} tag
 123 |  * @param {String} html
 124 |  * @param {Object} options
 125 |  * @return {String}
 126 |  */
 127 | function onIgnoreTag(tag, html, options) {
 128 |   // do nothing
 129 | }
 130 | 
 131 | /**
 132 |  * default onTagAttr function
 133 |  *
 134 |  * @param {String} tag
 135 |  * @param {String} name
 136 |  * @param {String} value
 137 |  * @return {String}
 138 |  */
 139 | function onTagAttr(tag, name, value) {
 140 |   // do nothing
 141 | }
 142 | 
 143 | /**
 144 |  * default onIgnoreTagAttr function
 145 |  *
 146 |  * @param {String} tag
 147 |  * @param {String} name
 148 |  * @param {String} value
 149 |  * @return {String}
 150 |  */
 151 | function onIgnoreTagAttr(tag, name, value) {
 152 |   // do nothing
 153 | }
 154 | 
 155 | /**
 156 |  * default escapeHtml function
 157 |  *
 158 |  * @param {String} html
 159 |  */
 160 | function escapeHtml(html) {
 161 |   return html.replace(REGEXP_LT, "&lt;").replace(REGEXP_GT, "&gt;");
 162 | }
 163 | 
 164 | /**
 165 |  * default safeAttrValue function
 166 |  *
 167 |  * @param {String} tag
 168 |  * @param {String} name
 169 |  * @param {String} value
 170 |  * @param {Object} cssFilter
 171 |  * @return {String}
 172 |  */
 173 | function safeAttrValue(tag, name, value, cssFilter) {
 174 |   // unescape attribute value firstly
 175 |   value = friendlyAttrValue(value);
 176 | 
 177 |   if (name === "href" || name === "src") {
 178 |     // filter `href` and `src` attribute
 179 |     // only allow the value that starts with `http://` | `https://` | `mailto:` | `/` | `#`
 180 |     value = _.trim(value);
 181 |     if (value === "#") return "#";
 182 |     if (
 183 |       !(
 184 |         value.substr(0, 7) === "http://" ||
 185 |         value.substr(0, 8) === "https://" ||
 186 |         value.substr(0, 7) === "mailto:" ||
 187 |         value.substr(0, 4) === "tel:" ||
 188 |         value.substr(0, 11) === "data:image/" ||
 189 |         value.substr(0, 6) === "ftp://" ||
 190 |         value.substr(0, 2) === "./" ||
 191 |         value.substr(0, 3) === "../" ||
 192 |         value[0] === "#" ||
 193 |         value[0] === "/"
 194 |       )
 195 |     ) {
 196 |       return "";
 197 |     }
 198 |   } else if (name === "background") {
 199 |     // filter `background` attribute (maybe no use)
 200 |     // `javascript:`
 201 |     REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;
 202 |     if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) {
 203 |       return "";
 204 |     }
 205 |   } else if (name === "style") {
 206 |     // `expression()`
 207 |     REGEXP_DEFAULT_ON_TAG_ATTR_7.lastIndex = 0;
 208 |     if (REGEXP_DEFAULT_ON_TAG_ATTR_7.test(value)) {
 209 |       return "";
 210 |     }
 211 |     // `url()`
 212 |     REGEXP_DEFAULT_ON_TAG_ATTR_8.lastIndex = 0;
 213 |     if (REGEXP_DEFAULT_ON_TAG_ATTR_8.test(value)) {
 214 |       REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;
 215 |       if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) {
 216 |         return "";
 217 |       }
 218 |     }
 219 |     if (cssFilter !== false) {
 220 |       cssFilter = cssFilter || defaultCSSFilter;
 221 |       value = cssFilter.process(value);
 222 |     }
 223 |   }
 224 | 
 225 |   // escape `<>"` before returns
 226 |   value = escapeAttrValue(value);
 227 |   return value;
 228 | }
 229 | 
 230 | // RegExp list
 231 | var REGEXP_LT = /</g;
 232 | var REGEXP_GT = />/g;
 233 | var REGEXP_QUOTE = /"/g;
 234 | var REGEXP_QUOTE_2 = /&quot;/g;
 235 | var REGEXP_ATTR_VALUE_1 = /&#([a-zA-Z0-9]*);?/gim;
 236 | var REGEXP_ATTR_VALUE_COLON = /&colon;?/gim;
 237 | var REGEXP_ATTR_VALUE_NEWLINE = /&newline;?/gim;
 238 | // var REGEXP_DEFAULT_ON_TAG_ATTR_3 = /\/\*|\*\//gm;
 239 | var REGEXP_DEFAULT_ON_TAG_ATTR_4 =
 240 |   /((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/gi;
 241 | // var REGEXP_DEFAULT_ON_TAG_ATTR_5 = /^[\s"'`]*(d\s*a\s*t\s*a\s*)\:/gi;
 242 | // var REGEXP_DEFAULT_ON_TAG_ATTR_6 = /^[\s"'`]*(d\s*a\s*t\s*a\s*)\:\s*image\//gi;
 243 | var REGEXP_DEFAULT_ON_TAG_ATTR_7 =
 244 |   /e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n\s*\(.*/gi;
 245 | var REGEXP_DEFAULT_ON_TAG_ATTR_8 = /u\s*r\s*l\s*\(.*/gi;
 246 | 
 247 | /**
 248 |  * escape double quote
 249 |  *
 250 |  * @param {String} str
 251 |  * @return {String} str
 252 |  */
 253 | function escapeQuote(str) {
 254 |   return str.replace(REGEXP_QUOTE, "&quot;");
 255 | }
 256 | 
 257 | /**
 258 |  * unescape double quote
 259 |  *
 260 |  * @param {String} str
 261 |  * @return {String} str
 262 |  */
 263 | function unescapeQuote(str) {
 264 |   return str.replace(REGEXP_QUOTE_2, '"');
 265 | }
 266 | 
 267 | /**
 268 |  * escape html entities
 269 |  *
 270 |  * @param {String} str
 271 |  * @return {String}
 272 |  */
 273 | function escapeHtmlEntities(str) {
 274 |   return str.replace(REGEXP_ATTR_VALUE_1, function replaceUnicode(str, code) {
 275 |     return code[0] === "x" || code[0] === "X"
 276 |       ? String.fromCharCode(parseInt(code.substr(1), 16))
 277 |       : String.fromCharCode(parseInt(code, 10));
 278 |   });
 279 | }
 280 | 
 281 | /**
 282 |  * escape html5 new danger entities
 283 |  *
 284 |  * @param {String} str
 285 |  * @return {String}
 286 |  */
 287 | function escapeDangerHtml5Entities(str) {
 288 |   return str
 289 |     .replace(REGEXP_ATTR_VALUE_COLON, ":")
 290 |     .replace(REGEXP_ATTR_VALUE_NEWLINE, " ");
 291 | }
 292 | 
 293 | /**
 294 |  * clear nonprintable characters
 295 |  *
 296 |  * @param {String} str
 297 |  * @return {String}
 298 |  */
 299 | function clearNonPrintableCharacter(str) {
 300 |   var str2 = "";
 301 |   for (var i = 0, len = str.length; i < len; i++) {
 302 |     str2 += str.charCodeAt(i) < 32 ? " " : str.charAt(i);
 303 |   }
 304 |   return _.trim(str2);
 305 | }
 306 | 
 307 | /**
 308 |  * get friendly attribute value
 309 |  *
 310 |  * @param {String} str
 311 |  * @return {String}
 312 |  */
 313 | function friendlyAttrValue(str) {
 314 |   str = unescapeQuote(str);
 315 |   str = escapeHtmlEntities(str);
 316 |   str = escapeDangerHtml5Entities(str);
 317 |   str = clearNonPrintableCharacter(str);
 318 |   return str;
 319 | }
 320 | 
 321 | /**
 322 |  * unescape attribute value
 323 |  *
 324 |  * @param {String} str
 325 |  * @return {String}
 326 |  */
 327 | function escapeAttrValue(str) {
 328 |   str = escapeQuote(str);
 329 |   str = escapeHtml(str);
 330 |   return str;
 331 | }
 332 | 
 333 | /**
 334 |  * `onIgnoreTag` function for removing all the tags that are not in whitelist
 335 |  */
 336 | function onIgnoreTagStripAll() {
 337 |   return "";
 338 | }
 339 | 
 340 | /**
 341 |  * remove tag body
 342 |  * specify a `tags` list, if the tag is not in the `tags` list then process by the specify function (optional)
 343 |  *
 344 |  * @param {array} tags
 345 |  * @param {function} next
 346 |  */
 347 | function StripTagBody(tags, next) {
 348 |   if (typeof next !== "function") {
 349 |     next = function () {};
 350 |   }
 351 | 
 352 |   var isRemoveAllTag = !Array.isArray(tags);
 353 |   function isRemoveTag(tag) {
 354 |     if (isRemoveAllTag) return true;
 355 |     return _.indexOf(tags, tag) !== -1;
 356 |   }
 357 | 
 358 |   var removeList = [];
 359 |   var posStart = false;
 360 | 
 361 |   return {
 362 |     onIgnoreTag: function (tag, html, options) {
 363 |       if (isRemoveTag(tag)) {
 364 |         if (options.isClosing) {
 365 |           var ret = "[/removed]";
 366 |           var end = options.position + ret.length;
 367 |           removeList.push([
 368 |             posStart !== false ? posStart : options.position,
 369 |             end,
 370 |           ]);
 371 |           posStart = false;
 372 |           return ret;
 373 |         } else {
 374 |           if (!posStart) {
 375 |             posStart = options.position;
 376 |           }
 377 |           return "[removed]";
 378 |         }
 379 |       } else {
 380 |         return next(tag, html, options);
 381 |       }
 382 |     },
 383 |     remove: function (html) {
 384 |       var rethtml = "";
 385 |       var lastPos = 0;
 386 |       _.forEach(removeList, function (pos) {
 387 |         rethtml += html.slice(lastPos, pos[0]);
 388 |         lastPos = pos[1];
 389 |       });
 390 |       rethtml += html.slice(lastPos);
 391 |       return rethtml;
 392 |     },
 393 |   };
 394 | }
 395 | 
 396 | /**
 397 |  * remove html comments
 398 |  *
 399 |  * @param {String} html
 400 |  * @return {String}
 401 |  */
 402 | function stripCommentTag(html) {
 403 |   var retHtml = "";
 404 |   var lastPos = 0;
 405 |   while (lastPos < html.length) {
 406 |     var i = html.indexOf("<!--", lastPos);
 407 |     if (i === -1) {
 408 |       retHtml += html.slice(lastPos);
 409 |       break;
 410 |     }
 411 |     retHtml += html.slice(lastPos, i);
 412 |     var j = html.indexOf("-->", i);
 413 |     if (j === -1) {
 414 |       break;
 415 |     }
 416 |     lastPos = j + 3;
 417 |   }
 418 |   return retHtml;
 419 | }
 420 | 
 421 | /**
 422 |  * remove invisible characters
 423 |  *
 424 |  * @param {String} html
 425 |  * @return {String}
 426 |  */
 427 | function stripBlankChar(html) {
 428 |   var chars = html.split("");
 429 |   chars = chars.filter(function (char) {
 430 |     var c = char.charCodeAt(0);
 431 |     if (c === 127) return false;
 432 |     if (c <= 31) {
 433 |       if (c === 10 || c === 13) return true;
 434 |       return false;
 435 |     }
 436 |     return true;
 437 |   });
 438 |   return chars.join("");
 439 | }
 440 | 
 441 | exports.whiteList = getDefaultWhiteList();
 442 | exports.getDefaultWhiteList = getDefaultWhiteList;
 443 | exports.onTag = onTag;
 444 | exports.onIgnoreTag = onIgnoreTag;
 445 | exports.onTagAttr = onTagAttr;
 446 | exports.onIgnoreTagAttr = onIgnoreTagAttr;
 447 | exports.safeAttrValue = safeAttrValue;
 448 | exports.escapeHtml = escapeHtml;
 449 | exports.escapeQuote = escapeQuote;
 450 | exports.unescapeQuote = unescapeQuote;
 451 | exports.escapeHtmlEntities = escapeHtmlEntities;
 452 | exports.escapeDangerHtml5Entities = escapeDangerHtml5Entities;
 453 | exports.clearNonPrintableCharacter = clearNonPrintableCharacter;
 454 | exports.friendlyAttrValue = friendlyAttrValue;
 455 | exports.escapeAttrValue = escapeAttrValue;
 456 | exports.onIgnoreTagStripAll = onIgnoreTagStripAll;
 457 | exports.StripTagBody = StripTagBody;
 458 | exports.stripCommentTag = stripCommentTag;
 459 | exports.stripBlankChar = stripBlankChar;
 460 | exports.attributeWrapSign = '"';
 461 | exports.cssFilter = defaultCSSFilter;
 462 | exports.getDefaultCSSWhiteList = getDefaultCSSWhiteList;
 463 | 
 464 | },{"./util":4,"cssfilter":8}],2:[function(require,module,exports){
 465 | /**
 466 |  * xss
 467 |  *
 468 |  * @author Zongmin Lei<leizongmin@gmail.com>
 469 |  */
 470 | 
 471 | var DEFAULT = require("./default");
 472 | var parser = require("./parser");
 473 | var FilterXSS = require("./xss");
 474 | 
 475 | /**
 476 |  * filter xss function
 477 |  *
 478 |  * @param {String} html
 479 |  * @param {Object} options { whiteList, onTag, onTagAttr, onIgnoreTag, onIgnoreTagAttr, safeAttrValue, escapeHtml }
 480 |  * @return {String}
 481 |  */
 482 | function filterXSS(html, options) {
 483 |   var xss = new FilterXSS(options);
 484 |   return xss.process(html);
 485 | }
 486 | 
 487 | exports = module.exports = filterXSS;
 488 | exports.filterXSS = filterXSS;
 489 | exports.FilterXSS = FilterXSS;
 490 | 
 491 | (function () {
 492 |   for (var i in DEFAULT) {
 493 |     exports[i] = DEFAULT[i];
 494 |   }
 495 |   for (var j in parser) {
 496 |     exports[j] = parser[j];
 497 |   }
 498 | })();
 499 | 
 500 | // using `xss` on the browser, output `filterXSS` to the globals
 501 | if (typeof window !== "undefined") {
 502 |   window.filterXSS = module.exports;
 503 | }
 504 | 
 505 | // using `xss` on the WebWorker, output `filterXSS` to the globals
 506 | function isWorkerEnv() {
 507 |   return (
 508 |     typeof self !== "undefined" &&
 509 |     typeof DedicatedWorkerGlobalScope !== "undefined" &&
 510 |     self instanceof DedicatedWorkerGlobalScope
 511 |   );
 512 | }
 513 | if (isWorkerEnv()) {
 514 |   self.filterXSS = module.exports;
 515 | }
 516 | 
 517 | },{"./default":1,"./parser":3,"./xss":5}],3:[function(require,module,exports){
 518 | /**
 519 |  * Simple HTML Parser
 520 |  *
 521 |  * @author Zongmin Lei<leizongmin@gmail.com>
 522 |  */
 523 | 
 524 | var _ = require("./util");
 525 | 
 526 | /**
 527 |  * get tag name
 528 |  *
 529 |  * @param {String} html e.g. '<a hef="#">'
 530 |  * @return {String}
 531 |  */
 532 | function getTagName(html) {
 533 |   var i = _.spaceIndex(html);
 534 |   var tagName;
 535 |   if (i === -1) {
 536 |     tagName = html.slice(1, -1);
 537 |   } else {
 538 |     tagName = html.slice(1, i + 1);
 539 |   }
 540 |   tagName = _.trim(tagName).toLowerCase();
 541 |   if (tagName.slice(0, 1) === "/") tagName = tagName.slice(1);
 542 |   if (tagName.slice(-1) === "/") tagName = tagName.slice(0, -1);
 543 |   return tagName;
 544 | }
 545 | 
 546 | /**
 547 |  * is close tag?
 548 |  *
 549 |  * @param {String} html 如：'<a hef="#">'
 550 |  * @return {Boolean}
 551 |  */
 552 | function isClosing(html) {
 553 |   return html.slice(0, 2) === "</";
 554 | }
 555 | 
 556 | /**
 557 |  * parse input html and returns processed html
 558 |  *
 559 |  * @param {String} html
 560 |  * @param {Function} onTag e.g. function (sourcePosition, position, tag, html, isClosing)
 561 |  * @param {Function} escapeHtml
 562 |  * @return {String}
 563 |  */
 564 | function parseTag(html, onTag, escapeHtml) {
 565 |   "use strict";
 566 | 
 567 |   var rethtml = "";
 568 |   var lastPos = 0;
 569 |   var tagStart = false;
 570 |   var quoteStart = false;
 571 |   var currentPos = 0;
 572 |   var len = html.length;
 573 |   var currentTagName = "";
 574 |   var currentHtml = "";
 575 | 
 576 |   chariterator: for (currentPos = 0; currentPos < len; currentPos++) {
 577 |     var c = html.charAt(currentPos);
 578 |     if (tagStart === false) {
 579 |       if (c === "<") {
 580 |         tagStart = currentPos;
 581 |         continue;
 582 |       }
 583 |     } else {
 584 |       if (quoteStart === false) {
 585 |         if (c === "<") {
 586 |           rethtml += escapeHtml(html.slice(lastPos, currentPos));
 587 |           tagStart = currentPos;
 588 |           lastPos = currentPos;
 589 |           continue;
 590 |         }
 591 |         if (c === ">" || currentPos === len - 1) {
 592 |           rethtml += escapeHtml(html.slice(lastPos, tagStart));
 593 |           currentHtml = html.slice(tagStart, currentPos + 1);
 594 |           currentTagName = getTagName(currentHtml);
 595 |           rethtml += onTag(
 596 |             tagStart,
 597 |             rethtml.length,
 598 |             currentTagName,
 599 |             currentHtml,
 600 |             isClosing(currentHtml)
 601 |           );
 602 |           lastPos = currentPos + 1;
 603 |           tagStart = false;
 604 |           continue;
 605 |         }
 606 |         if (c === '"' || c === "'") {
 607 |           var i = 1;
 608 |           var ic = html.charAt(currentPos - i);
 609 | 
 610 |           while (ic.trim() === "" || ic === "=") {
 611 |             if (ic === "=") {
 612 |               quoteStart = c;
 613 |               continue chariterator;
 614 |             }
 615 |             ic = html.charAt(currentPos - ++i);
 616 |           }
 617 |         }
 618 |       } else {
 619 |         if (c === quoteStart) {
 620 |           quoteStart = false;
 621 |           continue;
 622 |         }
 623 |       }
 624 |     }
 625 |   }
 626 |   if (lastPos < len) {
 627 |     rethtml += escapeHtml(html.substr(lastPos));
 628 |   }
 629 | 
 630 |   return rethtml;
 631 | }
 632 | 
 633 | var REGEXP_ILLEGAL_ATTR_NAME = /[^a-zA-Z0-9\\_:.-]/gim;
 634 | 
 635 | /**
 636 |  * parse input attributes and returns processed attributes
 637 |  *
 638 |  * @param {String} html e.g. `href="#" target="_blank"`
 639 |  * @param {Function} onAttr e.g. `function (name, value)`
 640 |  * @return {String}
 641 |  */
 642 | function parseAttr(html, onAttr) {
 643 |   "use strict";
 644 | 
 645 |   var lastPos = 0;
 646 |   var lastMarkPos = 0;
 647 |   var retAttrs = [];
 648 |   var tmpName = false;
 649 |   var len = html.length;
 650 | 
 651 |   function addAttr(name, value) {
 652 |     name = _.trim(name);
 653 |     name = name.replace(REGEXP_ILLEGAL_ATTR_NAME, "").toLowerCase();
 654 |     if (name.length < 1) return;
 655 |     var ret = onAttr(name, value || "");
 656 |     if (ret) retAttrs.push(ret);
 657 |   }
 658 | 
 659 |   // 逐个分析字符
 660 |   for (var i = 0; i < len; i++) {
 661 |     var c = html.charAt(i);
 662 |     var v, j;
 663 |     if (tmpName === false && c === "=") {
 664 |       tmpName = html.slice(lastPos, i);
 665 |       lastPos = i + 1;
 666 |       lastMarkPos = html.charAt(lastPos) === '"' || html.charAt(lastPos) === "'" ? lastPos : findNextQuotationMark(html, i + 1);
 667 |       continue;
 668 |     }
 669 |     if (tmpName !== false) {
 670 |       if (
 671 |         i === lastMarkPos
 672 |       ) {
 673 |         j = html.indexOf(c, i + 1);
 674 |         if (j === -1) {
 675 |           break;
 676 |         } else {
 677 |           v = _.trim(html.slice(lastMarkPos + 1, j));
 678 |           addAttr(tmpName, v);
 679 |           tmpName = false;
 680 |           i = j;
 681 |           lastPos = i + 1;
 682 |           continue;
 683 |         }
 684 |       }
 685 |     }
 686 |     if (/\s|\n|\t/.test(c)) {
 687 |       html = html.replace(/\s|\n|\t/g, " ");
 688 |       if (tmpName === false) {
 689 |         j = findNextEqual(html, i);
 690 |         if (j === -1) {
 691 |           v = _.trim(html.slice(lastPos, i));
 692 |           addAttr(v);
 693 |           tmpName = false;
 694 |           lastPos = i + 1;
 695 |           continue;
 696 |         } else {
 697 |           i = j - 1;
 698 |           continue;
 699 |         }
 700 |       } else {
 701 |         j = findBeforeEqual(html, i - 1);
 702 |         if (j === -1) {
 703 |           v = _.trim(html.slice(lastPos, i));
 704 |           v = stripQuoteWrap(v);
 705 |           addAttr(tmpName, v);
 706 |           tmpName = false;
 707 |           lastPos = i + 1;
 708 |           continue;
 709 |         } else {
 710 |           continue;
 711 |         }
 712 |       }
 713 |     }
 714 |   }
 715 | 
 716 |   if (lastPos < html.length) {
 717 |     if (tmpName === false) {
 718 |       addAttr(html.slice(lastPos));
 719 |     } else {
 720 |       addAttr(tmpName, stripQuoteWrap(_.trim(html.slice(lastPos))));
 721 |     }
 722 |   }
 723 | 
 724 |   return _.trim(retAttrs.join(" "));
 725 | }
 726 | 
 727 | function findNextEqual(str, i) {
 728 |   for (; i < str.length; i++) {
 729 |     var c = str[i];
 730 |     if (c === " ") continue;
 731 |     if (c === "=") return i;
 732 |     return -1;
 733 |   }
 734 | }
 735 | 
 736 | function findNextQuotationMark(str, i) {
 737 |   for (; i < str.length; i++) {
 738 |     var c = str[i];
 739 |     if (c === " ") continue;
 740 |     if (c === "'" || c === '"') return i;
 741 |     return -1;
 742 |   }
 743 | }
 744 | 
 745 | function findBeforeEqual(str, i) {
 746 |   for (; i > 0; i--) {
 747 |     var c = str[i];
 748 |     if (c === " ") continue;
 749 |     if (c === "=") return i;
 750 |     return -1;
 751 |   }
 752 | }
 753 | 
 754 | function isQuoteWrapString(text) {
 755 |   if (
 756 |     (text[0] === '"' && text[text.length - 1] === '"') ||
 757 |     (text[0] === "'" && text[text.length - 1] === "'")
 758 |   ) {
 759 |     return true;
 760 |   } else {
 761 |     return false;
 762 |   }
 763 | }
 764 | 
 765 | function stripQuoteWrap(text) {
 766 |   if (isQuoteWrapString(text)) {
 767 |     return text.substr(1, text.length - 2);
 768 |   } else {
 769 |     return text;
 770 |   }
 771 | }
 772 | 
 773 | exports.parseTag = parseTag;
 774 | exports.parseAttr = parseAttr;
 775 | 
 776 | },{"./util":4}],4:[function(require,module,exports){
 777 | module.exports = {
 778 |   indexOf: function (arr, item) {
 779 |     var i, j;
 780 |     if (Array.prototype.indexOf) {
 781 |       return arr.indexOf(item);
 782 |     }
 783 |     for (i = 0, j = arr.length; i < j; i++) {
 784 |       if (arr[i] === item) {
 785 |         return i;
 786 |       }
 787 |     }
 788 |     return -1;
 789 |   },
 790 |   forEach: function (arr, fn, scope) {
 791 |     var i, j;
 792 |     if (Array.prototype.forEach) {
 793 |       return arr.forEach(fn, scope);
 794 |     }
 795 |     for (i = 0, j = arr.length; i < j; i++) {
 796 |       fn.call(scope, arr[i], i, arr);
 797 |     }
 798 |   },
 799 |   trim: function (str) {
 800 |     if (String.prototype.trim) {
 801 |       return str.trim();
 802 |     }
 803 |     return str.replace(/(^\s*)|(\s*$)/g, "");
 804 |   },
 805 |   spaceIndex: function (str) {
 806 |     var reg = /\s|\n|\t/;
 807 |     var match = reg.exec(str);
 808 |     return match ? match.index : -1;
 809 |   },
 810 | };
 811 | 
 812 | },{}],5:[function(require,module,exports){
 813 | /**
 814 |  * filter xss
 815 |  *
 816 |  * @author Zongmin Lei<leizongmin@gmail.com>
 817 |  */
 818 | 
 819 | var FilterCSS = require("cssfilter").FilterCSS;
 820 | var DEFAULT = require("./default");
 821 | var parser = require("./parser");
 822 | var parseTag = parser.parseTag;
 823 | var parseAttr = parser.parseAttr;
 824 | var _ = require("./util");
 825 | 
 826 | /**
 827 |  * returns `true` if the input value is `undefined` or `null`
 828 |  *
 829 |  * @param {Object} obj
 830 |  * @return {Boolean}
 831 |  */
 832 | function isNull(obj) {
 833 |   return obj === undefined || obj === null;
 834 | }
 835 | 
 836 | /**
 837 |  * get attributes for a tag
 838 |  *
 839 |  * @param {String} html
 840 |  * @return {Object}
 841 |  *   - {String} html
 842 |  *   - {Boolean} closing
 843 |  */
 844 | function getAttrs(html) {
 845 |   var i = _.spaceIndex(html);
 846 |   if (i === -1) {
 847 |     return {
 848 |       html: "",
 849 |       closing: html[html.length - 2] === "/",
 850 |     };
 851 |   }
 852 |   html = _.trim(html.slice(i + 1, -1));
 853 |   var isClosing = html[html.length - 1] === "/";
 854 |   if (isClosing) html = _.trim(html.slice(0, -1));
 855 |   return {
 856 |     html: html,
 857 |     closing: isClosing,
 858 |   };
 859 | }
 860 | 
 861 | /**
 862 |  * shallow copy
 863 |  *
 864 |  * @param {Object} obj
 865 |  * @return {Object}
 866 |  */
 867 | function shallowCopyObject(obj) {
 868 |   var ret = {};
 869 |   for (var i in obj) {
 870 |     ret[i] = obj[i];
 871 |   }
 872 |   return ret;
 873 | }
 874 | 
 875 | function keysToLowerCase(obj) {
 876 |   var ret = {};
 877 |   for (var i in obj) {
 878 |     if (Array.isArray(obj[i])) {
 879 |       ret[i.toLowerCase()] = obj[i].map(function (item) {
 880 |         return item.toLowerCase();
 881 |       });
 882 |     } else {
 883 |       ret[i.toLowerCase()] = obj[i];
 884 |     }
 885 |   }
 886 |   return ret;
 887 | }
 888 | 
 889 | /**
 890 |  * FilterXSS class
 891 |  *
 892 |  * @param {Object} options
 893 |  *        whiteList (or allowList), onTag, onTagAttr, onIgnoreTag,
 894 |  *        onIgnoreTagAttr, safeAttrValue, escapeHtml
 895 |  *        stripIgnoreTagBody, allowCommentTag, stripBlankChar
 896 |  *        css{whiteList, onAttr, onIgnoreAttr} `css=false` means don't use `cssfilter`
 897 |  */
 898 | function FilterXSS(options) {
 899 |   options = shallowCopyObject(options || {});
 900 | 
 901 |   if (options.stripIgnoreTag) {
 902 |     if (options.onIgnoreTag) {
 903 |       console.error(
 904 |         'Notes: cannot use these two options "stripIgnoreTag" and "onIgnoreTag" at the same time'
 905 |       );
 906 |     }
 907 |     options.onIgnoreTag = DEFAULT.onIgnoreTagStripAll;
 908 |   }
 909 |   if (options.whiteList || options.allowList) {
 910 |     options.whiteList = keysToLowerCase(options.whiteList || options.allowList);
 911 |   } else {
 912 |     options.whiteList = DEFAULT.whiteList;
 913 |   }
 914 | 
 915 |   this.attributeWrapSign = options.singleQuotedAttributeValue === true ? "'" : DEFAULT.attributeWrapSign;
 916 | 
 917 |   options.onTag = options.onTag || DEFAULT.onTag;
 918 |   options.onTagAttr = options.onTagAttr || DEFAULT.onTagAttr;
 919 |   options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag;
 920 |   options.onIgnoreTagAttr = options.onIgnoreTagAttr || DEFAULT.onIgnoreTagAttr;
 921 |   options.safeAttrValue = options.safeAttrValue || DEFAULT.safeAttrValue;
 922 |   options.escapeHtml = options.escapeHtml || DEFAULT.escapeHtml;
 923 |   this.options = options;
 924 | 
 925 |   if (options.css === false) {
 926 |     this.cssFilter = false;
 927 |   } else {
 928 |     options.css = options.css || {};
 929 |     this.cssFilter = new FilterCSS(options.css);
 930 |   }
 931 | }
 932 | 
 933 | /**
 934 |  * start process and returns result
 935 |  *
 936 |  * @param {String} html
 937 |  * @return {String}
 938 |  */
 939 | FilterXSS.prototype.process = function (html) {
 940 |   // compatible with the input
 941 |   html = html || "";
 942 |   html = html.toString();
 943 |   if (!html) return "";
 944 | 
 945 |   var me = this;
 946 |   var options = me.options;
 947 |   var whiteList = options.whiteList;
 948 |   var onTag = options.onTag;
 949 |   var onIgnoreTag = options.onIgnoreTag;
 950 |   var onTagAttr = options.onTagAttr;
 951 |   var onIgnoreTagAttr = options.onIgnoreTagAttr;
 952 |   var safeAttrValue = options.safeAttrValue;
 953 |   var escapeHtml = options.escapeHtml;
 954 |   var attributeWrapSign = me.attributeWrapSign;
 955 |   var cssFilter = me.cssFilter;
 956 | 
 957 |   // remove invisible characters
 958 |   if (options.stripBlankChar) {
 959 |     html = DEFAULT.stripBlankChar(html);
 960 |   }
 961 | 
 962 |   // remove html comments
 963 |   if (!options.allowCommentTag) {
 964 |     html = DEFAULT.stripCommentTag(html);
 965 |   }
 966 | 
 967 |   // if enable stripIgnoreTagBody
 968 |   var stripIgnoreTagBody = false;
 969 |   if (options.stripIgnoreTagBody) {
 970 |     stripIgnoreTagBody = DEFAULT.StripTagBody(
 971 |       options.stripIgnoreTagBody,
 972 |       onIgnoreTag
 973 |     );
 974 |     onIgnoreTag = stripIgnoreTagBody.onIgnoreTag;
 975 |   }
 976 | 
 977 |   var retHtml = parseTag(
 978 |     html,
 979 |     function (sourcePosition, position, tag, html, isClosing) {
 980 |       var info = {
 981 |         sourcePosition: sourcePosition,
 982 |         position: position,
 983 |         isClosing: isClosing,
 984 |         isWhite: Object.prototype.hasOwnProperty.call(whiteList, tag),
 985 |       };
 986 | 
 987 |       // call `onTag()`
 988 |       var ret = onTag(tag, html, info);
 989 |       if (!isNull(ret)) return ret;
 990 | 
 991 |       if (info.isWhite) {
 992 |         if (info.isClosing) {
 993 |           return "</" + tag + ">";
 994 |         }
 995 | 
 996 |         var attrs = getAttrs(html);
 997 |         var whiteAttrList = whiteList[tag];
 998 |         var attrsHtml = parseAttr(attrs.html, function (name, value) {
 999 |           // call `onTagAttr()`
1000 |           var isWhiteAttr = _.indexOf(whiteAttrList, name) !== -1;
1001 |           var ret = onTagAttr(tag, name, value, isWhiteAttr);
1002 |           if (!isNull(ret)) return ret;
1003 | 
1004 |           if (isWhiteAttr) {
1005 |             // call `safeAttrValue()`
1006 |             value = safeAttrValue(tag, name, value, cssFilter);
1007 |             if (value) {
1008 |               return name + '=' + attributeWrapSign + value + attributeWrapSign;
1009 |             } else {
1010 |               return name;
1011 |             }
1012 |           } else {
1013 |             // call `onIgnoreTagAttr()`
1014 |             ret = onIgnoreTagAttr(tag, name, value, isWhiteAttr);
1015 |             if (!isNull(ret)) return ret;
1016 |             return;
1017 |           }
1018 |         });
1019 | 
1020 |         // build new tag html
1021 |         html = "<" + tag;
1022 |         if (attrsHtml) html += " " + attrsHtml;
1023 |         if (attrs.closing) html += " /";
1024 |         html += ">";
1025 |         return html;
1026 |       } else {
1027 |         // call `onIgnoreTag()`
1028 |         ret = onIgnoreTag(tag, html, info);
1029 |         if (!isNull(ret)) return ret;
1030 |         return escapeHtml(html);
1031 |       }
1032 |     },
1033 |     escapeHtml
1034 |   );
1035 | 
1036 |   // if enable stripIgnoreTagBody
1037 |   if (stripIgnoreTagBody) {
1038 |     retHtml = stripIgnoreTagBody.remove(retHtml);
1039 |   }
1040 | 
1041 |   return retHtml;
1042 | };
1043 | 
1044 | module.exports = FilterXSS;
1045 | 
1046 | },{"./default":1,"./parser":3,"./util":4,"cssfilter":8}],6:[function(require,module,exports){
1047 | /**
1048 |  * cssfilter
1049 |  *
1050 |  * @author 老雷<leizongmin@gmail.com>
1051 |  */
1052 | 
1053 | var DEFAULT = require('./default');
1054 | var parseStyle = require('./parser');
1055 | var _ = require('./util');
1056 | 
1057 | 
1058 | /**
1059 |  * 返回值是否为空
1060 |  *
1061 |  * @param {Object} obj
1062 |  * @return {Boolean}
1063 |  */
1064 | function isNull (obj) {
1065 |   return (obj === undefined || obj === null);
1066 | }
1067 | 
1068 | /**
1069 |  * 浅拷贝对象
1070 |  *
1071 |  * @param {Object} obj
1072 |  * @return {Object}
1073 |  */
1074 | function shallowCopyObject (obj) {
1075 |   var ret = {};
1076 |   for (var i in obj) {
1077 |     ret[i] = obj[i];
1078 |   }
1079 |   return ret;
1080 | }
1081 | 
1082 | /**
1083 |  * 创建CSS过滤器
1084 |  *
1085 |  * @param {Object} options
1086 |  *   - {Object} whiteList
1087 |  *   - {Function} onAttr
1088 |  *   - {Function} onIgnoreAttr
1089 |  *   - {Function} safeAttrValue
1090 |  */
1091 | function FilterCSS (options) {
1092 |   options = shallowCopyObject(options || {});
1093 |   options.whiteList = options.whiteList || DEFAULT.whiteList;
1094 |   options.onAttr = options.onAttr || DEFAULT.onAttr;
1095 |   options.onIgnoreAttr = options.onIgnoreAttr || DEFAULT.onIgnoreAttr;
1096 |   options.safeAttrValue = options.safeAttrValue || DEFAULT.safeAttrValue;
1097 |   this.options = options;
1098 | }
1099 | 
1100 | FilterCSS.prototype.process = function (css) {
1101 |   // 兼容各种奇葩输入
1102 |   css = css || '';
1103 |   css = css.toString();
1104 |   if (!css) return '';
1105 | 
1106 |   var me = this;
1107 |   var options = me.options;
1108 |   var whiteList = options.whiteList;
1109 |   var onAttr = options.onAttr;
1110 |   var onIgnoreAttr = options.onIgnoreAttr;
1111 |   var safeAttrValue = options.safeAttrValue;
1112 | 
1113 |   var retCSS = parseStyle(css, function (sourcePosition, position, name, value, source) {
1114 | 
1115 |     var check = whiteList[name];
1116 |     var isWhite = false;
1117 |     if (check === true) isWhite = check;
1118 |     else if (typeof check === 'function') isWhite = check(value);
1119 |     else if (check instanceof RegExp) isWhite = check.test(value);
1120 |     if (isWhite !== true) isWhite = false;
1121 | 
1122 |     // 如果过滤后 value 为空则直接忽略
1123 |     value = safeAttrValue(name, value);
1124 |     if (!value) return;
1125 | 
1126 |     var opts = {
1127 |       position: position,
1128 |       sourcePosition: sourcePosition,
1129 |       source: source,
1130 |       isWhite: isWhite
1131 |     };
1132 | 
1133 |     if (isWhite) {
1134 | 
1135 |       var ret = onAttr(name, value, opts);
1136 |       if (isNull(ret)) {
1137 |         return name + ':' + value;
1138 |       } else {
1139 |         return ret;
1140 |       }
1141 | 
1142 |     } else {
1143 | 
1144 |       var ret = onIgnoreAttr(name, value, opts);
1145 |       if (!isNull(ret)) {
1146 |         return ret;
1147 |       }
1148 | 
1149 |     }
1150 |   });
1151 | 
1152 |   return retCSS;
1153 | };
1154 | 
1155 | 
1156 | module.exports = FilterCSS;
1157 | 
1158 | },{"./default":7,"./parser":9,"./util":10}],7:[function(require,module,exports){
1159 | /**
1160 |  * cssfilter
1161 |  *
1162 |  * @author 老雷<leizongmin@gmail.com>
1163 |  */
1164 | 
1165 | function getDefaultWhiteList () {
1166 |   // 白名单值说明：
1167 |   // true: 允许该属性
1168 |   // Function: function (val) { } 返回true表示允许该属性，其他值均表示不允许
1169 |   // RegExp: regexp.test(val) 返回true表示允许该属性，其他值均表示不允许
1170 |   // 除上面列出的值外均表示不允许
1171 |   var whiteList = {};
1172 | 
1173 |   whiteList['align-content'] = false; // default: auto
1174 |   whiteList['align-items'] = false; // default: auto
1175 |   whiteList['align-self'] = false; // default: auto
1176 |   whiteList['alignment-adjust'] = false; // default: auto
1177 |   whiteList['alignment-baseline'] = false; // default: baseline
1178 |   whiteList['all'] = false; // default: depending on individual properties
1179 |   whiteList['anchor-point'] = false; // default: none
1180 |   whiteList['animation'] = false; // default: depending on individual properties
1181 |   whiteList['animation-delay'] = false; // default: 0
1182 |   whiteList['animation-direction'] = false; // default: normal
1183 |   whiteList['animation-duration'] = false; // default: 0
1184 |   whiteList['animation-fill-mode'] = false; // default: none
1185 |   whiteList['animation-iteration-count'] = false; // default: 1
1186 |   whiteList['animation-name'] = false; // default: none
1187 |   whiteList['animation-play-state'] = false; // default: running
1188 |   whiteList['animation-timing-function'] = false; // default: ease
1189 |   whiteList['azimuth'] = false; // default: center
1190 |   whiteList['backface-visibility'] = false; // default: visible
1191 |   whiteList['background'] = true; // default: depending on individual properties
1192 |   whiteList['background-attachment'] = true; // default: scroll
1193 |   whiteList['background-clip'] = true; // default: border-box
1194 |   whiteList['background-color'] = true; // default: transparent
1195 |   whiteList['background-image'] = true; // default: none
1196 |   whiteList['background-origin'] = true; // default: padding-box
1197 |   whiteList['background-position'] = true; // default: 0% 0%
1198 |   whiteList['background-repeat'] = true; // default: repeat
1199 |   whiteList['background-size'] = true; // default: auto
1200 |   whiteList['baseline-shift'] = false; // default: baseline
1201 |   whiteList['binding'] = false; // default: none
1202 |   whiteList['bleed'] = false; // default: 6pt
1203 |   whiteList['bookmark-label'] = false; // default: content()
1204 |   whiteList['bookmark-level'] = false; // default: none
1205 |   whiteList['bookmark-state'] = false; // default: open
1206 |   whiteList['border'] = true; // default: depending on individual properties
1207 |   whiteList['border-bottom'] = true; // default: depending on individual properties
1208 |   whiteList['border-bottom-color'] = true; // default: current color
1209 |   whiteList['border-bottom-left-radius'] = true; // default: 0
1210 |   whiteList['border-bottom-right-radius'] = true; // default: 0
1211 |   whiteList['border-bottom-style'] = true; // default: none
1212 |   whiteList['border-bottom-width'] = true; // default: medium
1213 |   whiteList['border-collapse'] = true; // default: separate
1214 |   whiteList['border-color'] = true; // default: depending on individual properties
1215 |   whiteList['border-image'] = true; // default: none
1216 |   whiteList['border-image-outset'] = true; // default: 0
1217 |   whiteList['border-image-repeat'] = true; // default: stretch
1218 |   whiteList['border-image-slice'] = true; // default: 100%
1219 |   whiteList['border-image-source'] = true; // default: none
1220 |   whiteList['border-image-width'] = true; // default: 1
1221 |   whiteList['border-left'] = true; // default: depending on individual properties
1222 |   whiteList['border-left-color'] = true; // default: current color
1223 |   whiteList['border-left-style'] = true; // default: none
1224 |   whiteList['border-left-width'] = true; // default: medium
1225 |   whiteList['border-radius'] = true; // default: 0
1226 |   whiteList['border-right'] = true; // default: depending on individual properties
1227 |   whiteList['border-right-color'] = true; // default: current color
1228 |   whiteList['border-right-style'] = true; // default: none
1229 |   whiteList['border-right-width'] = true; // default: medium
1230 |   whiteList['border-spacing'] = true; // default: 0
1231 |   whiteList['border-style'] = true; // default: depending on individual properties
1232 |   whiteList['border-top'] = true; // default: depending on individual properties
1233 |   whiteList['border-top-color'] = true; // default: current color
1234 |   whiteList['border-top-left-radius'] = true; // default: 0
1235 |   whiteList['border-top-right-radius'] = true; // default: 0
1236 |   whiteList['border-top-style'] = true; // default: none
1237 |   whiteList['border-top-width'] = true; // default: medium
1238 |   whiteList['border-width'] = true; // default: depending on individual properties
1239 |   whiteList['bottom'] = false; // default: auto
1240 |   whiteList['box-decoration-break'] = true; // default: slice
1241 |   whiteList['box-shadow'] = true; // default: none
1242 |   whiteList['box-sizing'] = true; // default: content-box
1243 |   whiteList['box-snap'] = true; // default: none
1244 |   whiteList['box-suppress'] = true; // default: show
1245 |   whiteList['break-after'] = true; // default: auto
1246 |   whiteList['break-before'] = true; // default: auto
1247 |   whiteList['break-inside'] = true; // default: auto
1248 |   whiteList['caption-side'] = false; // default: top
1249 |   whiteList['chains'] = false; // default: none
1250 |   whiteList['clear'] = true; // default: none
1251 |   whiteList['clip'] = false; // default: auto
1252 |   whiteList['clip-path'] = false; // default: none
1253 |   whiteList['clip-rule'] = false; // default: nonzero
1254 |   whiteList['color'] = true; // default: implementation dependent
1255 |   whiteList['color-interpolation-filters'] = true; // default: auto
1256 |   whiteList['column-count'] = false; // default: auto
1257 |   whiteList['column-fill'] = false; // default: balance
1258 |   whiteList['column-gap'] = false; // default: normal
1259 |   whiteList['column-rule'] = false; // default: depending on individual properties
1260 |   whiteList['column-rule-color'] = false; // default: current color
1261 |   whiteList['column-rule-style'] = false; // default: medium
1262 |   whiteList['column-rule-width'] = false; // default: medium
1263 |   whiteList['column-span'] = false; // default: none
1264 |   whiteList['column-width'] = false; // default: auto
1265 |   whiteList['columns'] = false; // default: depending on individual properties
1266 |   whiteList['contain'] = false; // default: none
1267 |   whiteList['content'] = false; // default: normal
1268 |   whiteList['counter-increment'] = false; // default: none
1269 |   whiteList['counter-reset'] = false; // default: none
1270 |   whiteList['counter-set'] = false; // default: none
1271 |   whiteList['crop'] = false; // default: auto
1272 |   whiteList['cue'] = false; // default: depending on individual properties
1273 |   whiteList['cue-after'] = false; // default: none
1274 |   whiteList['cue-before'] = false; // default: none
1275 |   whiteList['cursor'] = false; // default: auto
1276 |   whiteList['direction'] = false; // default: ltr
1277 |   whiteList['display'] = true; // default: depending on individual properties
1278 |   whiteList['display-inside'] = true; // default: auto
1279 |   whiteList['display-list'] = true; // default: none
1280 |   whiteList['display-outside'] = true; // default: inline-level
1281 |   whiteList['dominant-baseline'] = false; // default: auto
1282 |   whiteList['elevation'] = false; // default: level
1283 |   whiteList['empty-cells'] = false; // default: show
1284 |   whiteList['filter'] = false; // default: none
1285 |   whiteList['flex'] = false; // default: depending on individual properties
1286 |   whiteList['flex-basis'] = false; // default: auto
1287 |   whiteList['flex-direction'] = false; // default: row
1288 |   whiteList['flex-flow'] = false; // default: depending on individual properties
1289 |   whiteList['flex-grow'] = false; // default: 0
1290 |   whiteList['flex-shrink'] = false; // default: 1
1291 |   whiteList['flex-wrap'] = false; // default: nowrap
1292 |   whiteList['float'] = false; // default: none
1293 |   whiteList['float-offset'] = false; // default: 0 0
1294 |   whiteList['flood-color'] = false; // default: black
1295 |   whiteList['flood-opacity'] = false; // default: 1
1296 |   whiteList['flow-from'] = false; // default: none
1297 |   whiteList['flow-into'] = false; // default: none
1298 |   whiteList['font'] = true; // default: depending on individual properties
1299 |   whiteList['font-family'] = true; // default: implementation dependent
1300 |   whiteList['font-feature-settings'] = true; // default: normal
1301 |   whiteList['font-kerning'] = true; // default: auto
1302 |   whiteList['font-language-override'] = true; // default: normal
1303 |   whiteList['font-size'] = true; // default: medium
1304 |   whiteList['font-size-adjust'] = true; // default: none
1305 |   whiteList['font-stretch'] = true; // default: normal
1306 |   whiteList['font-style'] = true; // default: normal
1307 |   whiteList['font-synthesis'] = true; // default: weight style
1308 |   whiteList['font-variant'] = true; // default: normal
1309 |   whiteList['font-variant-alternates'] = true; // default: normal
1310 |   whiteList['font-variant-caps'] = true; // default: normal
1311 |   whiteList['font-variant-east-asian'] = true; // default: normal
1312 |   whiteList['font-variant-ligatures'] = true; // default: normal
1313 |   whiteList['font-variant-numeric'] = true; // default: normal
1314 |   whiteList['font-variant-position'] = true; // default: normal
1315 |   whiteList['font-weight'] = true; // default: normal
1316 |   whiteList['grid'] = false; // default: depending on individual properties
1317 |   whiteList['grid-area'] = false; // default: depending on individual properties
1318 |   whiteList['grid-auto-columns'] = false; // default: auto
1319 |   whiteList['grid-auto-flow'] = false; // default: none
1320 |   whiteList['grid-auto-rows'] = false; // default: auto
1321 |   whiteList['grid-column'] = false; // default: depending on individual properties
1322 |   whiteList['grid-column-end'] = false; // default: auto
1323 |   whiteList['grid-column-start'] = false; // default: auto
1324 |   whiteList['grid-row'] = false; // default: depending on individual properties
1325 |   whiteList['grid-row-end'] = false; // default: auto
1326 |   whiteList['grid-row-start'] = false; // default: auto
1327 |   whiteList['grid-template'] = false; // default: depending on individual properties
1328 |   whiteList['grid-template-areas'] = false; // default: none
1329 |   whiteList['grid-template-columns'] = false; // default: none
1330 |   whiteList['grid-template-rows'] = false; // default: none
1331 |   whiteList['hanging-punctuation'] = false; // default: none
1332 |   whiteList['height'] = true; // default: auto
1333 |   whiteList['hyphens'] = false; // default: manual
1334 |   whiteList['icon'] = false; // default: auto
1335 |   whiteList['image-orientation'] = false; // default: auto
1336 |   whiteList['image-resolution'] = false; // default: normal
1337 |   whiteList['ime-mode'] = false; // default: auto
1338 |   whiteList['initial-letters'] = false; // default: normal
1339 |   whiteList['inline-box-align'] = false; // default: last
1340 |   whiteList['justify-content'] = false; // default: auto
1341 |   whiteList['justify-items'] = false; // default: auto
1342 |   whiteList['justify-self'] = false; // default: auto
1343 |   whiteList['left'] = false; // default: auto
1344 |   whiteList['letter-spacing'] = true; // default: normal
1345 |   whiteList['lighting-color'] = true; // default: white
1346 |   whiteList['line-box-contain'] = false; // default: block inline replaced
1347 |   whiteList['line-break'] = false; // default: auto
1348 |   whiteList['line-grid'] = false; // default: match-parent
1349 |   whiteList['line-height'] = false; // default: normal
1350 |   whiteList['line-snap'] = false; // default: none
1351 |   whiteList['line-stacking'] = false; // default: depending on individual properties
1352 |   whiteList['line-stacking-ruby'] = false; // default: exclude-ruby
1353 |   whiteList['line-stacking-shift'] = false; // default: consider-shifts
1354 |   whiteList['line-stacking-strategy'] = false; // default: inline-line-height
1355 |   whiteList['list-style'] = true; // default: depending on individual properties
1356 |   whiteList['list-style-image'] = true; // default: none
1357 |   whiteList['list-style-position'] = true; // default: outside
1358 |   whiteList['list-style-type'] = true; // default: disc
1359 |   whiteList['margin'] = true; // default: depending on individual properties
1360 |   whiteList['margin-bottom'] = true; // default: 0
1361 |   whiteList['margin-left'] = true; // default: 0
1362 |   whiteList['margin-right'] = true; // default: 0
1363 |   whiteList['margin-top'] = true; // default: 0
1364 |   whiteList['marker-offset'] = false; // default: auto
1365 |   whiteList['marker-side'] = false; // default: list-item
1366 |   whiteList['marks'] = false; // default: none
1367 |   whiteList['mask'] = false; // default: border-box
1368 |   whiteList['mask-box'] = false; // default: see individual properties
1369 |   whiteList['mask-box-outset'] = false; // default: 0
1370 |   whiteList['mask-box-repeat'] = false; // default: stretch
1371 |   whiteList['mask-box-slice'] = false; // default: 0 fill
1372 |   whiteList['mask-box-source'] = false; // default: none
1373 |   whiteList['mask-box-width'] = false; // default: auto
1374 |   whiteList['mask-clip'] = false; // default: border-box
1375 |   whiteList['mask-image'] = false; // default: none
1376 |   whiteList['mask-origin'] = false; // default: border-box
1377 |   whiteList['mask-position'] = false; // default: center
1378 |   whiteList['mask-repeat'] = false; // default: no-repeat
1379 |   whiteList['mask-size'] = false; // default: border-box
1380 |   whiteList['mask-source-type'] = false; // default: auto
1381 |   whiteList['mask-type'] = false; // default: luminance
1382 |   whiteList['max-height'] = true; // default: none
1383 |   whiteList['max-lines'] = false; // default: none
1384 |   whiteList['max-width'] = true; // default: none
1385 |   whiteList['min-height'] = true; // default: 0
1386 |   whiteList['min-width'] = true; // default: 0
1387 |   whiteList['move-to'] = false; // default: normal
1388 |   whiteList['nav-down'] = false; // default: auto
1389 |   whiteList['nav-index'] = false; // default: auto
1390 |   whiteList['nav-left'] = false; // default: auto
1391 |   whiteList['nav-right'] = false; // default: auto
1392 |   whiteList['nav-up'] = false; // default: auto
1393 |   whiteList['object-fit'] = false; // default: fill
1394 |   whiteList['object-position'] = false; // default: 50% 50%
1395 |   whiteList['opacity'] = false; // default: 1
1396 |   whiteList['order'] = false; // default: 0
1397 |   whiteList['orphans'] = false; // default: 2
1398 |   whiteList['outline'] = false; // default: depending on individual properties
1399 |   whiteList['outline-color'] = false; // default: invert
1400 |   whiteList['outline-offset'] = false; // default: 0
1401 |   whiteList['outline-style'] = false; // default: none
1402 |   whiteList['outline-width'] = false; // default: medium
1403 |   whiteList['overflow'] = false; // default: depending on individual properties
1404 |   whiteList['overflow-wrap'] = false; // default: normal
1405 |   whiteList['overflow-x'] = false; // default: visible
1406 |   whiteList['overflow-y'] = false; // default: visible
1407 |   whiteList['padding'] = true; // default: depending on individual properties
1408 |   whiteList['padding-bottom'] = true; // default: 0
1409 |   whiteList['padding-left'] = true; // default: 0
1410 |   whiteList['padding-right'] = true; // default: 0
1411 |   whiteList['padding-top'] = true; // default: 0
1412 |   whiteList['page'] = false; // default: auto
1413 |   whiteList['page-break-after'] = false; // default: auto
1414 |   whiteList['page-break-before'] = false; // default: auto
1415 |   whiteList['page-break-inside'] = false; // default: auto
1416 |   whiteList['page-policy'] = false; // default: start
1417 |   whiteList['pause'] = false; // default: implementation dependent
1418 |   whiteList['pause-after'] = false; // default: implementation dependent
1419 |   whiteList['pause-before'] = false; // default: implementation dependent
1420 |   whiteList['perspective'] = false; // default: none
1421 |   whiteList['perspective-origin'] = false; // default: 50% 50%
1422 |   whiteList['pitch'] = false; // default: medium
1423 |   whiteList['pitch-range'] = false; // default: 50
1424 |   whiteList['play-during'] = false; // default: auto
1425 |   whiteList['position'] = false; // default: static
1426 |   whiteList['presentation-level'] = false; // default: 0
1427 |   whiteList['quotes'] = false; // default: text
1428 |   whiteList['region-fragment'] = false; // default: auto
1429 |   whiteList['resize'] = false; // default: none
1430 |   whiteList['rest'] = false; // default: depending on individual properties
1431 |   whiteList['rest-after'] = false; // default: none
1432 |   whiteList['rest-before'] = false; // default: none
1433 |   whiteList['richness'] = false; // default: 50
1434 |   whiteList['right'] = false; // default: auto
1435 |   whiteList['rotation'] = false; // default: 0
1436 |   whiteList['rotation-point'] = false; // default: 50% 50%
1437 |   whiteList['ruby-align'] = false; // default: auto
1438 |   whiteList['ruby-merge'] = false; // default: separate
1439 |   whiteList['ruby-position'] = false; // default: before
1440 |   whiteList['shape-image-threshold'] = false; // default: 0.0
1441 |   whiteList['shape-outside'] = false; // default: none
1442 |   whiteList['shape-margin'] = false; // default: 0
1443 |   whiteList['size'] = false; // default: auto
1444 |   whiteList['speak'] = false; // default: auto
1445 |   whiteList['speak-as'] = false; // default: normal
1446 |   whiteList['speak-header'] = false; // default: once
1447 |   whiteList['speak-numeral'] = false; // default: continuous
1448 |   whiteList['speak-punctuation'] = false; // default: none
1449 |   whiteList['speech-rate'] = false; // default: medium
1450 |   whiteList['stress'] = false; // default: 50
1451 |   whiteList['string-set'] = false; // default: none
1452 |   whiteList['tab-size'] = false; // default: 8
1453 |   whiteList['table-layout'] = false; // default: auto
1454 |   whiteList['text-align'] = true; // default: start
1455 |   whiteList['text-align-last'] = true; // default: auto
1456 |   whiteList['text-combine-upright'] = true; // default: none
1457 |   whiteList['text-decoration'] = true; // default: none
1458 |   whiteList['text-decoration-color'] = true; // default: currentColor
1459 |   whiteList['text-decoration-line'] = true; // default: none
1460 |   whiteList['text-decoration-skip'] = true; // default: objects
1461 |   whiteList['text-decoration-style'] = true; // default: solid
1462 |   whiteList['text-emphasis'] = true; // default: depending on individual properties
1463 |   whiteList['text-emphasis-color'] = true; // default: currentColor
1464 |   whiteList['text-emphasis-position'] = true; // default: over right
1465 |   whiteList['text-emphasis-style'] = true; // default: none
1466 |   whiteList['text-height'] = true; // default: auto
1467 |   whiteList['text-indent'] = true; // default: 0
1468 |   whiteList['text-justify'] = true; // default: auto
1469 |   whiteList['text-orientation'] = true; // default: mixed
1470 |   whiteList['text-overflow'] = true; // default: clip
1471 |   whiteList['text-shadow'] = true; // default: none
1472 |   whiteList['text-space-collapse'] = true; // default: collapse
1473 |   whiteList['text-transform'] = true; // default: none
1474 |   whiteList['text-underline-position'] = true; // default: auto
1475 |   whiteList['text-wrap'] = true; // default: normal
1476 |   whiteList['top'] = false; // default: auto
1477 |   whiteList['transform'] = false; // default: none
1478 |   whiteList['transform-origin'] = false; // default: 50% 50% 0
1479 |   whiteList['transform-style'] = false; // default: flat
1480 |   whiteList['transition'] = false; // default: depending on individual properties
1481 |   whiteList['transition-delay'] = false; // default: 0s
1482 |   whiteList['transition-duration'] = false; // default: 0s
1483 |   whiteList['transition-property'] = false; // default: all
1484 |   whiteList['transition-timing-function'] = false; // default: ease
1485 |   whiteList['unicode-bidi'] = false; // default: normal
1486 |   whiteList['vertical-align'] = false; // default: baseline
1487 |   whiteList['visibility'] = false; // default: visible
1488 |   whiteList['voice-balance'] = false; // default: center
1489 |   whiteList['voice-duration'] = false; // default: auto
1490 |   whiteList['voice-family'] = false; // default: implementation dependent
1491 |   whiteList['voice-pitch'] = false; // default: medium
1492 |   whiteList['voice-range'] = false; // default: medium
1493 |   whiteList['voice-rate'] = false; // default: normal
1494 |   whiteList['voice-stress'] = false; // default: normal
1495 |   whiteList['voice-volume'] = false; // default: medium
1496 |   whiteList['volume'] = false; // default: medium
1497 |   whiteList['white-space'] = false; // default: normal
1498 |   whiteList['widows'] = false; // default: 2
1499 |   whiteList['width'] = true; // default: auto
1500 |   whiteList['will-change'] = false; // default: auto
1501 |   whiteList['word-break'] = true; // default: normal
1502 |   whiteList['word-spacing'] = true; // default: normal
1503 |   whiteList['word-wrap'] = true; // default: normal
1504 |   whiteList['wrap-flow'] = false; // default: auto
1505 |   whiteList['wrap-through'] = false; // default: wrap
1506 |   whiteList['writing-mode'] = false; // default: horizontal-tb
1507 |   whiteList['z-index'] = false; // default: auto
1508 | 
1509 |   return whiteList;
1510 | }
1511 | 
1512 | 
1513 | /**
1514 |  * 匹配到白名单上的一个属性时
1515 |  *
1516 |  * @param {String} name
1517 |  * @param {String} value
1518 |  * @param {Object} options
1519 |  * @return {String}
1520 |  */
1521 | function onAttr (name, value, options) {
1522 |   // do nothing
1523 | }
1524 | 
1525 | /**
1526 |  * 匹配到不在白名单上的一个属性时
1527 |  *
1528 |  * @param {String} name
1529 |  * @param {String} value
1530 |  * @param {Object} options
1531 |  * @return {String}
1532 |  */
1533 | function onIgnoreAttr (name, value, options) {
1534 |   // do nothing
1535 | }
1536 | 
1537 | var REGEXP_URL_JAVASCRIPT = /javascript\s*\:/img;
1538 | 
1539 | /**
1540 |  * 过滤属性值
1541 |  *
1542 |  * @param {String} name
1543 |  * @param {String} value
1544 |  * @return {String}
1545 |  */
1546 | function safeAttrValue(name, value) {
1547 |   if (REGEXP_URL_JAVASCRIPT.test(value)) return '';
1548 |   return value;
1549 | }
1550 | 
1551 | 
1552 | exports.whiteList = getDefaultWhiteList();
1553 | exports.getDefaultWhiteList = getDefaultWhiteList;
1554 | exports.onAttr = onAttr;
1555 | exports.onIgnoreAttr = onIgnoreAttr;
1556 | exports.safeAttrValue = safeAttrValue;
1557 | 
1558 | },{}],8:[function(require,module,exports){
1559 | /**
1560 |  * cssfilter
1561 |  *
1562 |  * @author 老雷<leizongmin@gmail.com>
1563 |  */
1564 | 
1565 | var DEFAULT = require('./default');
1566 | var FilterCSS = require('./css');
1567 | 
1568 | 
1569 | /**
1570 |  * XSS过滤
1571 |  *
1572 |  * @param {String} css 要过滤的CSS代码
1573 |  * @param {Object} options 选项：whiteList, onAttr, onIgnoreAttr
1574 |  * @return {String}
1575 |  */
1576 | function filterCSS (html, options) {
1577 |   var xss = new FilterCSS(options);
1578 |   return xss.process(html);
1579 | }
1580 | 
1581 | 
1582 | // 输出
1583 | exports = module.exports = filterCSS;
1584 | exports.FilterCSS = FilterCSS;
1585 | for (var i in DEFAULT) exports[i] = DEFAULT[i];
1586 | 
1587 | // 在浏览器端使用
1588 | if (typeof window !== 'undefined') {
1589 |   window.filterCSS = module.exports;
1590 | }
1591 | 
1592 | },{"./css":6,"./default":7}],9:[function(require,module,exports){
1593 | /**
1594 |  * cssfilter
1595 |  *
1596 |  * @author 老雷<leizongmin@gmail.com>
1597 |  */
1598 | 
1599 | var _ = require('./util');
1600 | 
1601 | 
1602 | /**
1603 |  * 解析style
1604 |  *
1605 |  * @param {String} css
1606 |  * @param {Function} onAttr 处理属性的函数
1607 |  *   参数格式： function (sourcePosition, position, name, value, source)
1608 |  * @return {String}
1609 |  */
1610 | function parseStyle (css, onAttr) {
1611 |   css = _.trimRight(css);
1612 |   if (css[css.length - 1] !== ';') css += ';';
1613 |   var cssLength = css.length;
1614 |   var isParenthesisOpen = false;
1615 |   var lastPos = 0;
1616 |   var i = 0;
1617 |   var retCSS = '';
1618 | 
1619 |   function addNewAttr () {
1620 |     // 如果没有正常的闭合圆括号，则直接忽略当前属性
1621 |     if (!isParenthesisOpen) {
1622 |       var source = _.trim(css.slice(lastPos, i));
1623 |       var j = source.indexOf(':');
1624 |       if (j !== -1) {
1625 |         var name = _.trim(source.slice(0, j));
1626 |         var value = _.trim(source.slice(j + 1));
1627 |         // 必须有属性名称
1628 |         if (name) {
1629 |           var ret = onAttr(lastPos, retCSS.length, name, value, source);
1630 |           if (ret) retCSS += ret + '; ';
1631 |         }
1632 |       }
1633 |     }
1634 |     lastPos = i + 1;
1635 |   }
1636 | 
1637 |   for (; i < cssLength; i++) {
1638 |     var c = css[i];
1639 |     if (c === '/' && css[i + 1] === '*') {
1640 |       // 备注开始
1641 |       var j = css.indexOf('*/', i + 2);
1642 |       // 如果没有正常的备注结束，则后面的部分全部跳过
1643 |       if (j === -1) break;
1644 |       // 直接将当前位置调到备注结尾，并且初始化状态
1645 |       i = j + 1;
1646 |       lastPos = i + 1;
1647 |       isParenthesisOpen = false;
1648 |     } else if (c === '(') {
1649 |       isParenthesisOpen = true;
1650 |     } else if (c === ')') {
1651 |       isParenthesisOpen = false;
1652 |     } else if (c === ';') {
1653 |       if (isParenthesisOpen) {
1654 |         // 在圆括号里面，忽略
1655 |       } else {
1656 |         addNewAttr();
1657 |       }
1658 |     } else if (c === '\n') {
1659 |       addNewAttr();
1660 |     }
1661 |   }
1662 | 
1663 |   return _.trim(retCSS);
1664 | }
1665 | 
1666 | module.exports = parseStyle;
1667 | 
1668 | },{"./util":10}],10:[function(require,module,exports){
1669 | module.exports = {
1670 |   indexOf: function (arr, item) {
1671 |     var i, j;
1672 |     if (Array.prototype.indexOf) {
1673 |       return arr.indexOf(item);
1674 |     }
1675 |     for (i = 0, j = arr.length; i < j; i++) {
1676 |       if (arr[i] === item) {
1677 |         return i;
1678 |       }
1679 |     }
1680 |     return -1;
1681 |   },
1682 |   forEach: function (arr, fn, scope) {
1683 |     var i, j;
1684 |     if (Array.prototype.forEach) {
1685 |       return arr.forEach(fn, scope);
1686 |     }
1687 |     for (i = 0, j = arr.length; i < j; i++) {
1688 |       fn.call(scope, arr[i], i, arr);
1689 |     }
1690 |   },
1691 |   trim: function (str) {
1692 |     if (String.prototype.trim) {
1693 |       return str.trim();
1694 |     }
1695 |     return str.replace(/(^\s*)|(\s*$)/g, '');
1696 |   },
1697 |   trimRight: function (str) {
1698 |     if (String.prototype.trimRight) {
1699 |       return str.trimRight();
1700 |     }
1701 |     return str.replace(/(\s*$)/g, '');
1702 |   }
1703 | };
1704 | 
1705 | },{}]},{},[2]);
1706 | 


--------------------------------------------------------------------------------
/dist/xss.min.js:
--------------------------------------------------------------------------------
1 | (function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i]){var c="function"==typeof require&&require;if(!f&&c)return c(i,!0);if(u)return u(i,!0);var a=new Error("Cannot find module '"+i+"'");throw a.code="MODULE_NOT_FOUND",a}var p=n[i]={exports:{}};e[i][0].call(p.exports,function(r){var n=e[i][1][r];return o(n||r)},p,p.exports,r,e,n,t)}return n[i].exports}for(var u="function"==typeof require&&require,i=0;i<t.length;i++)o(t[i]);return o}return r})()({1:[function(require,module,exports){var FilterCSS=require("cssfilter").FilterCSS;var getDefaultCSSWhiteList=require("cssfilter").getDefaultWhiteList;var _=require("./util");function getDefaultWhiteList(){return{a:["target","href","title"],abbr:["title"],address:[],area:["shape","coords","href","alt"],article:[],aside:[],audio:["autoplay","controls","crossorigin","loop","muted","preload","src"],b:[],bdi:["dir"],bdo:["dir"],big:[],blockquote:["cite"],br:[],caption:[],center:[],cite:[],code:[],col:["align","valign","span","width"],colgroup:["align","valign","span","width"],dd:[],del:["datetime"],details:["open"],div:[],dl:[],dt:[],em:[],figcaption:[],figure:[],font:["color","size","face"],footer:[],h1:[],h2:[],h3:[],h4:[],h5:[],h6:[],header:[],hr:[],i:[],img:["src","alt","title","width","height","loading"],ins:["datetime"],kbd:[],li:[],mark:[],nav:[],ol:[],p:[],pre:[],s:[],section:[],small:[],span:[],sub:[],summary:[],sup:[],strong:[],strike:[],table:["width","border","align","valign"],tbody:["align","valign"],td:["width","rowspan","colspan","align","valign"],tfoot:["align","valign"],th:["width","rowspan","colspan","align","valign"],thead:["align","valign"],tr:["rowspan","align","valign"],tt:[],u:[],ul:[],video:["autoplay","controls","crossorigin","loop","muted","playsinline","poster","preload","src","height","width"]}}var defaultCSSFilter=new FilterCSS;function onTag(tag,html,options){}function onIgnoreTag(tag,html,options){}function onTagAttr(tag,name,value){}function onIgnoreTagAttr(tag,name,value){}function escapeHtml(html){return html.replace(REGEXP_LT,"&lt;").replace(REGEXP_GT,"&gt;")}function safeAttrValue(tag,name,value,cssFilter){value=friendlyAttrValue(value);if(name==="href"||name==="src"){value=_.trim(value);if(value==="#")return"#";if(!(value.substr(0,7)==="http://"||value.substr(0,8)==="https://"||value.substr(0,7)==="mailto:"||value.substr(0,4)==="tel:"||value.substr(0,11)==="data:image/"||value.substr(0,6)==="ftp://"||value.substr(0,2)==="./"||value.substr(0,3)==="../"||value[0]==="#"||value[0]==="/")){return""}}else if(name==="background"){REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex=0;if(REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)){return""}}else if(name==="style"){REGEXP_DEFAULT_ON_TAG_ATTR_7.lastIndex=0;if(REGEXP_DEFAULT_ON_TAG_ATTR_7.test(value)){return""}REGEXP_DEFAULT_ON_TAG_ATTR_8.lastIndex=0;if(REGEXP_DEFAULT_ON_TAG_ATTR_8.test(value)){REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex=0;if(REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)){return""}}if(cssFilter!==false){cssFilter=cssFilter||defaultCSSFilter;value=cssFilter.process(value)}}value=escapeAttrValue(value);return value}var REGEXP_LT=/</g;var REGEXP_GT=/>/g;var REGEXP_QUOTE=/"/g;var REGEXP_QUOTE_2=/&quot;/g;var REGEXP_ATTR_VALUE_1=/&#([a-zA-Z0-9]*);?/gim;var REGEXP_ATTR_VALUE_COLON=/&colon;?/gim;var REGEXP_ATTR_VALUE_NEWLINE=/&newline;?/gim;var REGEXP_DEFAULT_ON_TAG_ATTR_4=/((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/gi;var REGEXP_DEFAULT_ON_TAG_ATTR_7=/e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n\s*\(.*/gi;var REGEXP_DEFAULT_ON_TAG_ATTR_8=/u\s*r\s*l\s*\(.*/gi;function escapeQuote(str){return str.replace(REGEXP_QUOTE,"&quot;")}function unescapeQuote(str){return str.replace(REGEXP_QUOTE_2,'"')}function escapeHtmlEntities(str){return str.replace(REGEXP_ATTR_VALUE_1,function replaceUnicode(str,code){return code[0]==="x"||code[0]==="X"?String.fromCharCode(parseInt(code.substr(1),16)):String.fromCharCode(parseInt(code,10))})}function escapeDangerHtml5Entities(str){return str.replace(REGEXP_ATTR_VALUE_COLON,":").replace(REGEXP_ATTR_VALUE_NEWLINE," ")}function clearNonPrintableCharacter(str){var str2="";for(var i=0,len=str.length;i<len;i++){str2+=str.charCodeAt(i)<32?" ":str.charAt(i)}return _.trim(str2)}function friendlyAttrValue(str){str=unescapeQuote(str);str=escapeHtmlEntities(str);str=escapeDangerHtml5Entities(str);str=clearNonPrintableCharacter(str);return str}function escapeAttrValue(str){str=escapeQuote(str);str=escapeHtml(str);return str}function onIgnoreTagStripAll(){return""}function StripTagBody(tags,next){if(typeof next!=="function"){next=function(){}}var isRemoveAllTag=!Array.isArray(tags);function isRemoveTag(tag){if(isRemoveAllTag)return true;return _.indexOf(tags,tag)!==-1}var removeList=[];var posStart=false;return{onIgnoreTag:function(tag,html,options){if(isRemoveTag(tag)){if(options.isClosing){var ret="[/removed]";var end=options.position+ret.length;removeList.push([posStart!==false?posStart:options.position,end]);posStart=false;return ret}else{if(!posStart){posStart=options.position}return"[removed]"}}else{return next(tag,html,options)}},remove:function(html){var rethtml="";var lastPos=0;_.forEach(removeList,function(pos){rethtml+=html.slice(lastPos,pos[0]);lastPos=pos[1]});rethtml+=html.slice(lastPos);return rethtml}}}function stripCommentTag(html){var retHtml="";var lastPos=0;while(lastPos<html.length){var i=html.indexOf("\x3c!--",lastPos);if(i===-1){retHtml+=html.slice(lastPos);break}retHtml+=html.slice(lastPos,i);var j=html.indexOf("--\x3e",i);if(j===-1){break}lastPos=j+3}return retHtml}function stripBlankChar(html){var chars=html.split("");chars=chars.filter(function(char){var c=char.charCodeAt(0);if(c===127)return false;if(c<=31){if(c===10||c===13)return true;return false}return true});return chars.join("")}exports.whiteList=getDefaultWhiteList();exports.getDefaultWhiteList=getDefaultWhiteList;exports.onTag=onTag;exports.onIgnoreTag=onIgnoreTag;exports.onTagAttr=onTagAttr;exports.onIgnoreTagAttr=onIgnoreTagAttr;exports.safeAttrValue=safeAttrValue;exports.escapeHtml=escapeHtml;exports.escapeQuote=escapeQuote;exports.unescapeQuote=unescapeQuote;exports.escapeHtmlEntities=escapeHtmlEntities;exports.escapeDangerHtml5Entities=escapeDangerHtml5Entities;exports.clearNonPrintableCharacter=clearNonPrintableCharacter;exports.friendlyAttrValue=friendlyAttrValue;exports.escapeAttrValue=escapeAttrValue;exports.onIgnoreTagStripAll=onIgnoreTagStripAll;exports.StripTagBody=StripTagBody;exports.stripCommentTag=stripCommentTag;exports.stripBlankChar=stripBlankChar;exports.attributeWrapSign='"';exports.cssFilter=defaultCSSFilter;exports.getDefaultCSSWhiteList=getDefaultCSSWhiteList},{"./util":4,cssfilter:8}],2:[function(require,module,exports){var DEFAULT=require("./default");var parser=require("./parser");var FilterXSS=require("./xss");function filterXSS(html,options){var xss=new FilterXSS(options);return xss.process(html)}exports=module.exports=filterXSS;exports.filterXSS=filterXSS;exports.FilterXSS=FilterXSS;(function(){for(var i in DEFAULT){exports[i]=DEFAULT[i]}for(var j in parser){exports[j]=parser[j]}})();if(typeof window!=="undefined"){window.filterXSS=module.exports}function isWorkerEnv(){return typeof self!=="undefined"&&typeof DedicatedWorkerGlobalScope!=="undefined"&&self instanceof DedicatedWorkerGlobalScope}if(isWorkerEnv()){self.filterXSS=module.exports}},{"./default":1,"./parser":3,"./xss":5}],3:[function(require,module,exports){var _=require("./util");function getTagName(html){var i=_.spaceIndex(html);var tagName;if(i===-1){tagName=html.slice(1,-1)}else{tagName=html.slice(1,i+1)}tagName=_.trim(tagName).toLowerCase();if(tagName.slice(0,1)==="/")tagName=tagName.slice(1);if(tagName.slice(-1)==="/")tagName=tagName.slice(0,-1);return tagName}function isClosing(html){return html.slice(0,2)==="</"}function parseTag(html,onTag,escapeHtml){"use strict";var rethtml="";var lastPos=0;var tagStart=false;var quoteStart=false;var currentPos=0;var len=html.length;var currentTagName="";var currentHtml="";chariterator:for(currentPos=0;currentPos<len;currentPos++){var c=html.charAt(currentPos);if(tagStart===false){if(c==="<"){tagStart=currentPos;continue}}else{if(quoteStart===false){if(c==="<"){rethtml+=escapeHtml(html.slice(lastPos,currentPos));tagStart=currentPos;lastPos=currentPos;continue}if(c===">"||currentPos===len-1){rethtml+=escapeHtml(html.slice(lastPos,tagStart));currentHtml=html.slice(tagStart,currentPos+1);currentTagName=getTagName(currentHtml);rethtml+=onTag(tagStart,rethtml.length,currentTagName,currentHtml,isClosing(currentHtml));lastPos=currentPos+1;tagStart=false;continue}if(c==='"'||c==="'"){var i=1;var ic=html.charAt(currentPos-i);while(ic.trim()===""||ic==="="){if(ic==="="){quoteStart=c;continue chariterator}ic=html.charAt(currentPos-++i)}}}else{if(c===quoteStart){quoteStart=false;continue}}}}if(lastPos<len){rethtml+=escapeHtml(html.substr(lastPos))}return rethtml}var REGEXP_ILLEGAL_ATTR_NAME=/[^a-zA-Z0-9\\_:.-]/gim;function parseAttr(html,onAttr){"use strict";var lastPos=0;var lastMarkPos=0;var retAttrs=[];var tmpName=false;var len=html.length;function addAttr(name,value){name=_.trim(name);name=name.replace(REGEXP_ILLEGAL_ATTR_NAME,"").toLowerCase();if(name.length<1)return;var ret=onAttr(name,value||"");if(ret)retAttrs.push(ret)}for(var i=0;i<len;i++){var c=html.charAt(i);var v,j;if(tmpName===false&&c==="="){tmpName=html.slice(lastPos,i);lastPos=i+1;lastMarkPos=html.charAt(lastPos)==='"'||html.charAt(lastPos)==="'"?lastPos:findNextQuotationMark(html,i+1);continue}if(tmpName!==false){if(i===lastMarkPos){j=html.indexOf(c,i+1);if(j===-1){break}else{v=_.trim(html.slice(lastMarkPos+1,j));addAttr(tmpName,v);tmpName=false;i=j;lastPos=i+1;continue}}}if(/\s|\n|\t/.test(c)){html=html.replace(/\s|\n|\t/g," ");if(tmpName===false){j=findNextEqual(html,i);if(j===-1){v=_.trim(html.slice(lastPos,i));addAttr(v);tmpName=false;lastPos=i+1;continue}else{i=j-1;continue}}else{j=findBeforeEqual(html,i-1);if(j===-1){v=_.trim(html.slice(lastPos,i));v=stripQuoteWrap(v);addAttr(tmpName,v);tmpName=false;lastPos=i+1;continue}else{continue}}}}if(lastPos<html.length){if(tmpName===false){addAttr(html.slice(lastPos))}else{addAttr(tmpName,stripQuoteWrap(_.trim(html.slice(lastPos))))}}return _.trim(retAttrs.join(" "))}function findNextEqual(str,i){for(;i<str.length;i++){var c=str[i];if(c===" ")continue;if(c==="=")return i;return-1}}function findNextQuotationMark(str,i){for(;i<str.length;i++){var c=str[i];if(c===" ")continue;if(c==="'"||c==='"')return i;return-1}}function findBeforeEqual(str,i){for(;i>0;i--){var c=str[i];if(c===" ")continue;if(c==="=")return i;return-1}}function isQuoteWrapString(text){if(text[0]==='"'&&text[text.length-1]==='"'||text[0]==="'"&&text[text.length-1]==="'"){return true}else{return false}}function stripQuoteWrap(text){if(isQuoteWrapString(text)){return text.substr(1,text.length-2)}else{return text}}exports.parseTag=parseTag;exports.parseAttr=parseAttr},{"./util":4}],4:[function(require,module,exports){module.exports={indexOf:function(arr,item){var i,j;if(Array.prototype.indexOf){return arr.indexOf(item)}for(i=0,j=arr.length;i<j;i++){if(arr[i]===item){return i}}return-1},forEach:function(arr,fn,scope){var i,j;if(Array.prototype.forEach){return arr.forEach(fn,scope)}for(i=0,j=arr.length;i<j;i++){fn.call(scope,arr[i],i,arr)}},trim:function(str){if(String.prototype.trim){return str.trim()}return str.replace(/(^\s*)|(\s*$)/g,"")},spaceIndex:function(str){var reg=/\s|\n|\t/;var match=reg.exec(str);return match?match.index:-1}}},{}],5:[function(require,module,exports){var FilterCSS=require("cssfilter").FilterCSS;var DEFAULT=require("./default");var parser=require("./parser");var parseTag=parser.parseTag;var parseAttr=parser.parseAttr;var _=require("./util");function isNull(obj){return obj===undefined||obj===null}function getAttrs(html){var i=_.spaceIndex(html);if(i===-1){return{html:"",closing:html[html.length-2]==="/"}}html=_.trim(html.slice(i+1,-1));var isClosing=html[html.length-1]==="/";if(isClosing)html=_.trim(html.slice(0,-1));return{html:html,closing:isClosing}}function shallowCopyObject(obj){var ret={};for(var i in obj){ret[i]=obj[i]}return ret}function keysToLowerCase(obj){var ret={};for(var i in obj){if(Array.isArray(obj[i])){ret[i.toLowerCase()]=obj[i].map(function(item){return item.toLowerCase()})}else{ret[i.toLowerCase()]=obj[i]}}return ret}function FilterXSS(options){options=shallowCopyObject(options||{});if(options.stripIgnoreTag){if(options.onIgnoreTag){console.error('Notes: cannot use these two options "stripIgnoreTag" and "onIgnoreTag" at the same time')}options.onIgnoreTag=DEFAULT.onIgnoreTagStripAll}if(options.whiteList||options.allowList){options.whiteList=keysToLowerCase(options.whiteList||options.allowList)}else{options.whiteList=DEFAULT.whiteList}this.attributeWrapSign=options.singleQuotedAttributeValue===true?"'":DEFAULT.attributeWrapSign;options.onTag=options.onTag||DEFAULT.onTag;options.onTagAttr=options.onTagAttr||DEFAULT.onTagAttr;options.onIgnoreTag=options.onIgnoreTag||DEFAULT.onIgnoreTag;options.onIgnoreTagAttr=options.onIgnoreTagAttr||DEFAULT.onIgnoreTagAttr;options.safeAttrValue=options.safeAttrValue||DEFAULT.safeAttrValue;options.escapeHtml=options.escapeHtml||DEFAULT.escapeHtml;this.options=options;if(options.css===false){this.cssFilter=false}else{options.css=options.css||{};this.cssFilter=new FilterCSS(options.css)}}FilterXSS.prototype.process=function(html){html=html||"";html=html.toString();if(!html)return"";var me=this;var options=me.options;var whiteList=options.whiteList;var onTag=options.onTag;var onIgnoreTag=options.onIgnoreTag;var onTagAttr=options.onTagAttr;var onIgnoreTagAttr=options.onIgnoreTagAttr;var safeAttrValue=options.safeAttrValue;var escapeHtml=options.escapeHtml;var attributeWrapSign=me.attributeWrapSign;var cssFilter=me.cssFilter;if(options.stripBlankChar){html=DEFAULT.stripBlankChar(html)}if(!options.allowCommentTag){html=DEFAULT.stripCommentTag(html)}var stripIgnoreTagBody=false;if(options.stripIgnoreTagBody){stripIgnoreTagBody=DEFAULT.StripTagBody(options.stripIgnoreTagBody,onIgnoreTag);onIgnoreTag=stripIgnoreTagBody.onIgnoreTag}var retHtml=parseTag(html,function(sourcePosition,position,tag,html,isClosing){var info={sourcePosition:sourcePosition,position:position,isClosing:isClosing,isWhite:Object.prototype.hasOwnProperty.call(whiteList,tag)};var ret=onTag(tag,html,info);if(!isNull(ret))return ret;if(info.isWhite){if(info.isClosing){return"</"+tag+">"}var attrs=getAttrs(html);var whiteAttrList=whiteList[tag];var attrsHtml=parseAttr(attrs.html,function(name,value){var isWhiteAttr=_.indexOf(whiteAttrList,name)!==-1;var ret=onTagAttr(tag,name,value,isWhiteAttr);if(!isNull(ret))return ret;if(isWhiteAttr){value=safeAttrValue(tag,name,value,cssFilter);if(value){return name+"="+attributeWrapSign+value+attributeWrapSign}else{return name}}else{ret=onIgnoreTagAttr(tag,name,value,isWhiteAttr);if(!isNull(ret))return ret;return}});html="<"+tag;if(attrsHtml)html+=" "+attrsHtml;if(attrs.closing)html+=" /";html+=">";return html}else{ret=onIgnoreTag(tag,html,info);if(!isNull(ret))return ret;return escapeHtml(html)}},escapeHtml);if(stripIgnoreTagBody){retHtml=stripIgnoreTagBody.remove(retHtml)}return retHtml};module.exports=FilterXSS},{"./default":1,"./parser":3,"./util":4,cssfilter:8}],6:[function(require,module,exports){var DEFAULT=require("./default");var parseStyle=require("./parser");var _=require("./util");function isNull(obj){return obj===undefined||obj===null}function shallowCopyObject(obj){var ret={};for(var i in obj){ret[i]=obj[i]}return ret}function FilterCSS(options){options=shallowCopyObject(options||{});options.whiteList=options.whiteList||DEFAULT.whiteList;options.onAttr=options.onAttr||DEFAULT.onAttr;options.onIgnoreAttr=options.onIgnoreAttr||DEFAULT.onIgnoreAttr;options.safeAttrValue=options.safeAttrValue||DEFAULT.safeAttrValue;this.options=options}FilterCSS.prototype.process=function(css){css=css||"";css=css.toString();if(!css)return"";var me=this;var options=me.options;var whiteList=options.whiteList;var onAttr=options.onAttr;var onIgnoreAttr=options.onIgnoreAttr;var safeAttrValue=options.safeAttrValue;var retCSS=parseStyle(css,function(sourcePosition,position,name,value,source){var check=whiteList[name];var isWhite=false;if(check===true)isWhite=check;else if(typeof check==="function")isWhite=check(value);else if(check instanceof RegExp)isWhite=check.test(value);if(isWhite!==true)isWhite=false;value=safeAttrValue(name,value);if(!value)return;var opts={position:position,sourcePosition:sourcePosition,source:source,isWhite:isWhite};if(isWhite){var ret=onAttr(name,value,opts);if(isNull(ret)){return name+":"+value}else{return ret}}else{var ret=onIgnoreAttr(name,value,opts);if(!isNull(ret)){return ret}}});return retCSS};module.exports=FilterCSS},{"./default":7,"./parser":9,"./util":10}],7:[function(require,module,exports){function getDefaultWhiteList(){var whiteList={};whiteList["align-content"]=false;whiteList["align-items"]=false;whiteList["align-self"]=false;whiteList["alignment-adjust"]=false;whiteList["alignment-baseline"]=false;whiteList["all"]=false;whiteList["anchor-point"]=false;whiteList["animation"]=false;whiteList["animation-delay"]=false;whiteList["animation-direction"]=false;whiteList["animation-duration"]=false;whiteList["animation-fill-mode"]=false;whiteList["animation-iteration-count"]=false;whiteList["animation-name"]=false;whiteList["animation-play-state"]=false;whiteList["animation-timing-function"]=false;whiteList["azimuth"]=false;whiteList["backface-visibility"]=false;whiteList["background"]=true;whiteList["background-attachment"]=true;whiteList["background-clip"]=true;whiteList["background-color"]=true;whiteList["background-image"]=true;whiteList["background-origin"]=true;whiteList["background-position"]=true;whiteList["background-repeat"]=true;whiteList["background-size"]=true;whiteList["baseline-shift"]=false;whiteList["binding"]=false;whiteList["bleed"]=false;whiteList["bookmark-label"]=false;whiteList["bookmark-level"]=false;whiteList["bookmark-state"]=false;whiteList["border"]=true;whiteList["border-bottom"]=true;whiteList["border-bottom-color"]=true;whiteList["border-bottom-left-radius"]=true;whiteList["border-bottom-right-radius"]=true;whiteList["border-bottom-style"]=true;whiteList["border-bottom-width"]=true;whiteList["border-collapse"]=true;whiteList["border-color"]=true;whiteList["border-image"]=true;whiteList["border-image-outset"]=true;whiteList["border-image-repeat"]=true;whiteList["border-image-slice"]=true;whiteList["border-image-source"]=true;whiteList["border-image-width"]=true;whiteList["border-left"]=true;whiteList["border-left-color"]=true;whiteList["border-left-style"]=true;whiteList["border-left-width"]=true;whiteList["border-radius"]=true;whiteList["border-right"]=true;whiteList["border-right-color"]=true;whiteList["border-right-style"]=true;whiteList["border-right-width"]=true;whiteList["border-spacing"]=true;whiteList["border-style"]=true;whiteList["border-top"]=true;whiteList["border-top-color"]=true;whiteList["border-top-left-radius"]=true;whiteList["border-top-right-radius"]=true;whiteList["border-top-style"]=true;whiteList["border-top-width"]=true;whiteList["border-width"]=true;whiteList["bottom"]=false;whiteList["box-decoration-break"]=true;whiteList["box-shadow"]=true;whiteList["box-sizing"]=true;whiteList["box-snap"]=true;whiteList["box-suppress"]=true;whiteList["break-after"]=true;whiteList["break-before"]=true;whiteList["break-inside"]=true;whiteList["caption-side"]=false;whiteList["chains"]=false;whiteList["clear"]=true;whiteList["clip"]=false;whiteList["clip-path"]=false;whiteList["clip-rule"]=false;whiteList["color"]=true;whiteList["color-interpolation-filters"]=true;whiteList["column-count"]=false;whiteList["column-fill"]=false;whiteList["column-gap"]=false;whiteList["column-rule"]=false;whiteList["column-rule-color"]=false;whiteList["column-rule-style"]=false;whiteList["column-rule-width"]=false;whiteList["column-span"]=false;whiteList["column-width"]=false;whiteList["columns"]=false;whiteList["contain"]=false;whiteList["content"]=false;whiteList["counter-increment"]=false;whiteList["counter-reset"]=false;whiteList["counter-set"]=false;whiteList["crop"]=false;whiteList["cue"]=false;whiteList["cue-after"]=false;whiteList["cue-before"]=false;whiteList["cursor"]=false;whiteList["direction"]=false;whiteList["display"]=true;whiteList["display-inside"]=true;whiteList["display-list"]=true;whiteList["display-outside"]=true;whiteList["dominant-baseline"]=false;whiteList["elevation"]=false;whiteList["empty-cells"]=false;whiteList["filter"]=false;whiteList["flex"]=false;whiteList["flex-basis"]=false;whiteList["flex-direction"]=false;whiteList["flex-flow"]=false;whiteList["flex-grow"]=false;whiteList["flex-shrink"]=false;whiteList["flex-wrap"]=false;whiteList["float"]=false;whiteList["float-offset"]=false;whiteList["flood-color"]=false;whiteList["flood-opacity"]=false;whiteList["flow-from"]=false;whiteList["flow-into"]=false;whiteList["font"]=true;whiteList["font-family"]=true;whiteList["font-feature-settings"]=true;whiteList["font-kerning"]=true;whiteList["font-language-override"]=true;whiteList["font-size"]=true;whiteList["font-size-adjust"]=true;whiteList["font-stretch"]=true;whiteList["font-style"]=true;whiteList["font-synthesis"]=true;whiteList["font-variant"]=true;whiteList["font-variant-alternates"]=true;whiteList["font-variant-caps"]=true;whiteList["font-variant-east-asian"]=true;whiteList["font-variant-ligatures"]=true;whiteList["font-variant-numeric"]=true;whiteList["font-variant-position"]=true;whiteList["font-weight"]=true;whiteList["grid"]=false;whiteList["grid-area"]=false;whiteList["grid-auto-columns"]=false;whiteList["grid-auto-flow"]=false;whiteList["grid-auto-rows"]=false;whiteList["grid-column"]=false;whiteList["grid-column-end"]=false;whiteList["grid-column-start"]=false;whiteList["grid-row"]=false;whiteList["grid-row-end"]=false;whiteList["grid-row-start"]=false;whiteList["grid-template"]=false;whiteList["grid-template-areas"]=false;whiteList["grid-template-columns"]=false;whiteList["grid-template-rows"]=false;whiteList["hanging-punctuation"]=false;whiteList["height"]=true;whiteList["hyphens"]=false;whiteList["icon"]=false;whiteList["image-orientation"]=false;whiteList["image-resolution"]=false;whiteList["ime-mode"]=false;whiteList["initial-letters"]=false;whiteList["inline-box-align"]=false;whiteList["justify-content"]=false;whiteList["justify-items"]=false;whiteList["justify-self"]=false;whiteList["left"]=false;whiteList["letter-spacing"]=true;whiteList["lighting-color"]=true;whiteList["line-box-contain"]=false;whiteList["line-break"]=false;whiteList["line-grid"]=false;whiteList["line-height"]=false;whiteList["line-snap"]=false;whiteList["line-stacking"]=false;whiteList["line-stacking-ruby"]=false;whiteList["line-stacking-shift"]=false;whiteList["line-stacking-strategy"]=false;whiteList["list-style"]=true;whiteList["list-style-image"]=true;whiteList["list-style-position"]=true;whiteList["list-style-type"]=true;whiteList["margin"]=true;whiteList["margin-bottom"]=true;whiteList["margin-left"]=true;whiteList["margin-right"]=true;whiteList["margin-top"]=true;whiteList["marker-offset"]=false;whiteList["marker-side"]=false;whiteList["marks"]=false;whiteList["mask"]=false;whiteList["mask-box"]=false;whiteList["mask-box-outset"]=false;whiteList["mask-box-repeat"]=false;whiteList["mask-box-slice"]=false;whiteList["mask-box-source"]=false;whiteList["mask-box-width"]=false;whiteList["mask-clip"]=false;whiteList["mask-image"]=false;whiteList["mask-origin"]=false;whiteList["mask-position"]=false;whiteList["mask-repeat"]=false;whiteList["mask-size"]=false;whiteList["mask-source-type"]=false;whiteList["mask-type"]=false;whiteList["max-height"]=true;whiteList["max-lines"]=false;whiteList["max-width"]=true;whiteList["min-height"]=true;whiteList["min-width"]=true;whiteList["move-to"]=false;whiteList["nav-down"]=false;whiteList["nav-index"]=false;whiteList["nav-left"]=false;whiteList["nav-right"]=false;whiteList["nav-up"]=false;whiteList["object-fit"]=false;whiteList["object-position"]=false;whiteList["opacity"]=false;whiteList["order"]=false;whiteList["orphans"]=false;whiteList["outline"]=false;whiteList["outline-color"]=false;whiteList["outline-offset"]=false;whiteList["outline-style"]=false;whiteList["outline-width"]=false;whiteList["overflow"]=false;whiteList["overflow-wrap"]=false;whiteList["overflow-x"]=false;whiteList["overflow-y"]=false;whiteList["padding"]=true;whiteList["padding-bottom"]=true;whiteList["padding-left"]=true;whiteList["padding-right"]=true;whiteList["padding-top"]=true;whiteList["page"]=false;whiteList["page-break-after"]=false;whiteList["page-break-before"]=false;whiteList["page-break-inside"]=false;whiteList["page-policy"]=false;whiteList["pause"]=false;whiteList["pause-after"]=false;whiteList["pause-before"]=false;whiteList["perspective"]=false;whiteList["perspective-origin"]=false;whiteList["pitch"]=false;whiteList["pitch-range"]=false;whiteList["play-during"]=false;whiteList["position"]=false;whiteList["presentation-level"]=false;whiteList["quotes"]=false;whiteList["region-fragment"]=false;whiteList["resize"]=false;whiteList["rest"]=false;whiteList["rest-after"]=false;whiteList["rest-before"]=false;whiteList["richness"]=false;whiteList["right"]=false;whiteList["rotation"]=false;whiteList["rotation-point"]=false;whiteList["ruby-align"]=false;whiteList["ruby-merge"]=false;whiteList["ruby-position"]=false;whiteList["shape-image-threshold"]=false;whiteList["shape-outside"]=false;whiteList["shape-margin"]=false;whiteList["size"]=false;whiteList["speak"]=false;whiteList["speak-as"]=false;whiteList["speak-header"]=false;whiteList["speak-numeral"]=false;whiteList["speak-punctuation"]=false;whiteList["speech-rate"]=false;whiteList["stress"]=false;whiteList["string-set"]=false;whiteList["tab-size"]=false;whiteList["table-layout"]=false;whiteList["text-align"]=true;whiteList["text-align-last"]=true;whiteList["text-combine-upright"]=true;whiteList["text-decoration"]=true;whiteList["text-decoration-color"]=true;whiteList["text-decoration-line"]=true;whiteList["text-decoration-skip"]=true;whiteList["text-decoration-style"]=true;whiteList["text-emphasis"]=true;whiteList["text-emphasis-color"]=true;whiteList["text-emphasis-position"]=true;whiteList["text-emphasis-style"]=true;whiteList["text-height"]=true;whiteList["text-indent"]=true;whiteList["text-justify"]=true;whiteList["text-orientation"]=true;whiteList["text-overflow"]=true;whiteList["text-shadow"]=true;whiteList["text-space-collapse"]=true;whiteList["text-transform"]=true;whiteList["text-underline-position"]=true;whiteList["text-wrap"]=true;whiteList["top"]=false;whiteList["transform"]=false;whiteList["transform-origin"]=false;whiteList["transform-style"]=false;whiteList["transition"]=false;whiteList["transition-delay"]=false;whiteList["transition-duration"]=false;whiteList["transition-property"]=false;whiteList["transition-timing-function"]=false;whiteList["unicode-bidi"]=false;whiteList["vertical-align"]=false;whiteList["visibility"]=false;whiteList["voice-balance"]=false;whiteList["voice-duration"]=false;whiteList["voice-family"]=false;whiteList["voice-pitch"]=false;whiteList["voice-range"]=false;whiteList["voice-rate"]=false;whiteList["voice-stress"]=false;whiteList["voice-volume"]=false;whiteList["volume"]=false;whiteList["white-space"]=false;whiteList["widows"]=false;whiteList["width"]=true;whiteList["will-change"]=false;whiteList["word-break"]=true;whiteList["word-spacing"]=true;whiteList["word-wrap"]=true;whiteList["wrap-flow"]=false;whiteList["wrap-through"]=false;whiteList["writing-mode"]=false;whiteList["z-index"]=false;return whiteList}function onAttr(name,value,options){}function onIgnoreAttr(name,value,options){}var REGEXP_URL_JAVASCRIPT=/javascript\s*\:/gim;function safeAttrValue(name,value){if(REGEXP_URL_JAVASCRIPT.test(value))return"";return value}exports.whiteList=getDefaultWhiteList();exports.getDefaultWhiteList=getDefaultWhiteList;exports.onAttr=onAttr;exports.onIgnoreAttr=onIgnoreAttr;exports.safeAttrValue=safeAttrValue},{}],8:[function(require,module,exports){var DEFAULT=require("./default");var FilterCSS=require("./css");function filterCSS(html,options){var xss=new FilterCSS(options);return xss.process(html)}exports=module.exports=filterCSS;exports.FilterCSS=FilterCSS;for(var i in DEFAULT)exports[i]=DEFAULT[i];if(typeof window!=="undefined"){window.filterCSS=module.exports}},{"./css":6,"./default":7}],9:[function(require,module,exports){var _=require("./util");function parseStyle(css,onAttr){css=_.trimRight(css);if(css[css.length-1]!==";")css+=";";var cssLength=css.length;var isParenthesisOpen=false;var lastPos=0;var i=0;var retCSS="";function addNewAttr(){if(!isParenthesisOpen){var source=_.trim(css.slice(lastPos,i));var j=source.indexOf(":");if(j!==-1){var name=_.trim(source.slice(0,j));var value=_.trim(source.slice(j+1));if(name){var ret=onAttr(lastPos,retCSS.length,name,value,source);if(ret)retCSS+=ret+"; "}}}lastPos=i+1}for(;i<cssLength;i++){var c=css[i];if(c==="/"&&css[i+1]==="*"){var j=css.indexOf("*/",i+2);if(j===-1)break;i=j+1;lastPos=i+1;isParenthesisOpen=false}else if(c==="("){isParenthesisOpen=true}else if(c===")"){isParenthesisOpen=false}else if(c===";"){if(isParenthesisOpen){}else{addNewAttr()}}else if(c==="\n"){addNewAttr()}}return _.trim(retCSS)}module.exports=parseStyle},{"./util":10}],10:[function(require,module,exports){module.exports={indexOf:function(arr,item){var i,j;if(Array.prototype.indexOf){return arr.indexOf(item)}for(i=0,j=arr.length;i<j;i++){if(arr[i]===item){return i}}return-1},forEach:function(arr,fn,scope){var i,j;if(Array.prototype.forEach){return arr.forEach(fn,scope)}for(i=0,j=arr.length;i<j;i++){fn.call(scope,arr[i],i,arr)}},trim:function(str){if(String.prototype.trim){return str.trim()}return str.replace(/(^\s*)|(\s*$)/g,"")},trimRight:function(str){if(String.prototype.trimRight){return str.trimRight()}return str.replace(/(\s*$)/g,"")}}},{}]},{},[2]);


--------------------------------------------------------------------------------
/example/allows_attr_prefix.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * 应用实例：允许标签以data-开头的属性
 3 |  *
 4 |  * @author Zongmin Lei<leizongmin@gmail.com>
 5 |  */
 6 | 
 7 | var xss = require('../');
 8 | 
 9 | var source = '<div a="1" b="2" data-a="3" data-b="4">hello</div>';
10 | var html = xss(source, {
11 |   onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
12 |     if (name.substr(0, 5) === 'data-') {
13 |       // 通过内置的escapeAttrValue函数来对属性值进行转义
14 |       return name + '="' + xss.escapeAttrValue(value) + '"';
15 |     }
16 |   }
17 | });
18 | 
19 | console.log('%s\nconvert to:\n%s', source, html);
20 | 
21 | /*
22 | 运行结果：
23 | <div a="1" b="2" data-a="3" data-b="4">hello</div>
24 | convert to:
25 | <div data-a="3" data-b="4">hello</div>
26 | */


--------------------------------------------------------------------------------
/example/allows_tag_prefix.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * 应用实例：允许名称以x-开头的标签
 3 |  *
 4 |  * @author Zongmin Lei<leizongmin@gmail.com>
 5 |  */
 6 | 
 7 | var xss = require('../');
 8 | 
 9 | var source = '<x><x-1>he<x-2 checked></x-2>wwww</x-1><a>';
10 | var html = xss(source, {
11 |   onIgnoreTag: function (tag, html, options) {
12 |     if (tag.substr(0, 2) === 'x-') {
13 |       // 不对其属性列表进行过滤
14 |       return html;
15 |     }
16 |   }
17 | });
18 | 
19 | console.log('%s\nconvert to:\n%s', source, html);
20 | 
21 | /*
22 | 运行结果：
23 | <x><x-1>he<x-2 checked></x-2>wwww</x-1><a>
24 | convert to:
25 | &lt;x&gt;<x-1>he<x-2 checked></x-2>wwww</x-1><a>
26 | */


--------------------------------------------------------------------------------
/example/analyse_img_list.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * 应用实例：分析HTML代码中的图片列表
 3 |  *
 4 |  * @author Zongmin Lei<leizongmin@gmail.com>
 5 |  */
 6 | 
 7 | var xss = require('../');
 8 | 
 9 | var source = '<img src="img1">a<img src="img2">b<img src="img3">c<img src="img4">d';
10 | var list = [];
11 | var html = xss(source, {
12 |   onTagAttr: function (tag, name, value, isWhiteAttr) {
13 |     if (tag === 'img' && name === 'src') {
14 |       // 使用内置的friendlyAttrValue函数来对属性值进行转义，可将&lt;这类的实体标记转换成打印字符<
15 |       list.push(xss.friendlyAttrValue(value));
16 |     }
17 |     // 不返回任何值，表示还是按照默认的方法处理
18 |   }
19 | });
20 | 
21 | console.log('image list:\n%s', list.join(', '));
22 | 
23 | /*
24 | 运行结果：
25 | image list:
26 | img1, img2, img3, img4
27 | */


--------------------------------------------------------------------------------
/example/strip_tag.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * 应用实例：去除HTML标签（只保留文本内容）
 3 |  *
 4 |  * @author Zongmin Lei<leizongmin@gmail.com>
 5 |  */
 6 | 
 7 | var xss = require('../');
 8 | 
 9 | var source = '<strong>hello</strong><script>alert(/xss/);</script>end';
10 | var html = xss(source, {
11 |   whiteList:          {},        // 白名单为空，表示过滤所有标签
12 |   stripIgnoreTag:     true,      // 过滤所有非白名单标签的HTML
13 |   stripIgnoreTagBody: ['script'] // script标签较特殊，需要过滤标签中间的内容
14 | });
15 | 
16 | console.log('text: %s', html);
17 | 
18 | /*
19 | 运行结果：
20 | text: helloend
21 | */


--------------------------------------------------------------------------------
/example/web.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | 
 4 | <head>
 5 |   <meta charset="UTF-8">
 6 |   <meta name="viewport" content="width=device-width, initial-scale=1.0">
 7 |   <meta http-equiv="X-UA-Compatible" content="ie=edge">
 8 |   <title>Test xss.js</title>
 9 | </head>
10 | 
11 | <body>
12 | 
13 | </body>
14 | <script src="../dist//xss.js"></script>
15 | <script>
16 |   document.querySelector('body').innerText = filterXSS('<a href="#" onclick="alert(/xss/)">click me</a>');
17 | </script>
18 | 
19 | </html>


--------------------------------------------------------------------------------
/example/webworker.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | 
 4 | <head>
 5 |   <meta charset="UTF-8">
 6 |   <meta name="viewport" content="width=device-width, initial-scale=1.0">
 7 |   <meta http-equiv="X-UA-Compatible" content="ie=edge">
 8 |   <title>Test xss.js</title>
 9 | </head>
10 | 
11 | <body>
12 | 
13 | </body>
14 | <script>
15 |   if (window.Worker) {
16 |     var myWorker = new Worker('worker.js');
17 |     myWorker.onmessage = function (e) {
18 |       document.querySelector('body').innerText = e.data;
19 |     };
20 |   } else {
21 |     alert('Your browser does not support Worker');
22 |   }
23 | </script>
24 | 
25 | </html>


--------------------------------------------------------------------------------
/example/worker.js:
--------------------------------------------------------------------------------
1 | importScripts("../dist/xss.js");
2 | 
3 | postMessage(filterXSS('<a href="#" onclick="alert(/xss/)">click me</a>'));
4 | 


--------------------------------------------------------------------------------
/lib/cli.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * command line tool
 3 |  *
 4 |  * @author Zongmin Lei<leizongmin@gmail.com>
 5 |  */
 6 | 
 7 | var xss = require("./");
 8 | var readline = require("readline");
 9 | 
10 | var rl = readline.createInterface({
11 |   input: process.stdin,
12 |   output: process.stdout,
13 | });
14 | 
15 | console.log('Enter a blank line to do xss(), enter "@quit" to exit.\n');
16 | 
17 | function take(c, n) {
18 |   var ret = "";
19 |   for (var i = 0; i < n; i++) {
20 |     ret += c;
21 |   }
22 |   return ret;
23 | }
24 | 
25 | function setPrompt(line) {
26 |   line = line.toString();
27 |   rl.setPrompt("[" + line + "]" + take(" ", 5 - line.length));
28 |   rl.prompt();
29 | }
30 | 
31 | setPrompt(1);
32 | 
33 | var html = [];
34 | rl.on("line", function (line) {
35 |   if (line === "@quit") return process.exit();
36 |   if (line === "") {
37 |     console.log("");
38 |     console.log(xss(html.join("\r\n")));
39 |     console.log("");
40 |     html = [];
41 |   } else {
42 |     html.push(line);
43 |   }
44 |   setPrompt(html.length + 1);
45 | });
46 | 


--------------------------------------------------------------------------------
/lib/default.js:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * default settings
  3 |  *
  4 |  * @author Zongmin Lei<leizongmin@gmail.com>
  5 |  */
  6 | 
  7 | var FilterCSS = require("cssfilter").FilterCSS;
  8 | var getDefaultCSSWhiteList = require("cssfilter").getDefaultWhiteList;
  9 | var _ = require("./util");
 10 | 
 11 | function getDefaultWhiteList() {
 12 |   return {
 13 |     a: ["target", "href", "title"],
 14 |     abbr: ["title"],
 15 |     address: [],
 16 |     area: ["shape", "coords", "href", "alt"],
 17 |     article: [],
 18 |     aside: [],
 19 |     audio: [
 20 |       "autoplay",
 21 |       "controls",
 22 |       "crossorigin",
 23 |       "loop",
 24 |       "muted",
 25 |       "preload",
 26 |       "src",
 27 |     ],
 28 |     b: [],
 29 |     bdi: ["dir"],
 30 |     bdo: ["dir"],
 31 |     big: [],
 32 |     blockquote: ["cite"],
 33 |     br: [],
 34 |     caption: [],
 35 |     center: [],
 36 |     cite: [],
 37 |     code: [],
 38 |     col: ["align", "valign", "span", "width"],
 39 |     colgroup: ["align", "valign", "span", "width"],
 40 |     dd: [],
 41 |     del: ["datetime"],
 42 |     details: ["open"],
 43 |     div: [],
 44 |     dl: [],
 45 |     dt: [],
 46 |     em: [],
 47 |     figcaption: [],
 48 |     figure: [],
 49 |     font: ["color", "size", "face"],
 50 |     footer: [],
 51 |     h1: [],
 52 |     h2: [],
 53 |     h3: [],
 54 |     h4: [],
 55 |     h5: [],
 56 |     h6: [],
 57 |     header: [],
 58 |     hr: [],
 59 |     i: [],
 60 |     img: ["src", "alt", "title", "width", "height", "loading"],
 61 |     ins: ["datetime"],
 62 |     kbd: [],
 63 |     li: [],
 64 |     mark: [],
 65 |     nav: [],
 66 |     ol: [],
 67 |     p: [],
 68 |     pre: [],
 69 |     s: [],
 70 |     section: [],
 71 |     small: [],
 72 |     span: [],
 73 |     sub: [],
 74 |     summary: [],
 75 |     sup: [],
 76 |     strong: [],
 77 |     strike: [],
 78 |     table: ["width", "border", "align", "valign"],
 79 |     tbody: ["align", "valign"],
 80 |     td: ["width", "rowspan", "colspan", "align", "valign"],
 81 |     tfoot: ["align", "valign"],
 82 |     th: ["width", "rowspan", "colspan", "align", "valign"],
 83 |     thead: ["align", "valign"],
 84 |     tr: ["rowspan", "align", "valign"],
 85 |     tt: [],
 86 |     u: [],
 87 |     ul: [],
 88 |     video: [
 89 |       "autoplay",
 90 |       "controls",
 91 |       "crossorigin",
 92 |       "loop",
 93 |       "muted",
 94 |       "playsinline",
 95 |       "poster",
 96 |       "preload",
 97 |       "src",
 98 |       "height",
 99 |       "width",
100 |     ],
101 |   };
102 | }
103 | 
104 | var defaultCSSFilter = new FilterCSS();
105 | 
106 | /**
107 |  * default onTag function
108 |  *
109 |  * @param {String} tag
110 |  * @param {String} html
111 |  * @param {Object} options
112 |  * @return {String}
113 |  */
114 | function onTag(tag, html, options) {
115 |   // do nothing
116 | }
117 | 
118 | /**
119 |  * default onIgnoreTag function
120 |  *
121 |  * @param {String} tag
122 |  * @param {String} html
123 |  * @param {Object} options
124 |  * @return {String}
125 |  */
126 | function onIgnoreTag(tag, html, options) {
127 |   // do nothing
128 | }
129 | 
130 | /**
131 |  * default onTagAttr function
132 |  *
133 |  * @param {String} tag
134 |  * @param {String} name
135 |  * @param {String} value
136 |  * @return {String}
137 |  */
138 | function onTagAttr(tag, name, value) {
139 |   // do nothing
140 | }
141 | 
142 | /**
143 |  * default onIgnoreTagAttr function
144 |  *
145 |  * @param {String} tag
146 |  * @param {String} name
147 |  * @param {String} value
148 |  * @return {String}
149 |  */
150 | function onIgnoreTagAttr(tag, name, value) {
151 |   // do nothing
152 | }
153 | 
154 | /**
155 |  * default escapeHtml function
156 |  *
157 |  * @param {String} html
158 |  */
159 | function escapeHtml(html) {
160 |   return html.replace(REGEXP_LT, "&lt;").replace(REGEXP_GT, "&gt;");
161 | }
162 | 
163 | /**
164 |  * default safeAttrValue function
165 |  *
166 |  * @param {String} tag
167 |  * @param {String} name
168 |  * @param {String} value
169 |  * @param {Object} cssFilter
170 |  * @return {String}
171 |  */
172 | function safeAttrValue(tag, name, value, cssFilter) {
173 |   // unescape attribute value firstly
174 |   value = friendlyAttrValue(value);
175 | 
176 |   if (name === "href" || name === "src") {
177 |     // filter `href` and `src` attribute
178 |     // only allow the value that starts with `http://` | `https://` | `mailto:` | `/` | `#`
179 |     value = _.trim(value);
180 |     if (value === "#") return "#";
181 |     if (
182 |       !(
183 |         value.substr(0, 7) === "http://" ||
184 |         value.substr(0, 8) === "https://" ||
185 |         value.substr(0, 7) === "mailto:" ||
186 |         value.substr(0, 4) === "tel:" ||
187 |         value.substr(0, 11) === "data:image/" ||
188 |         value.substr(0, 6) === "ftp://" ||
189 |         value.substr(0, 2) === "./" ||
190 |         value.substr(0, 3) === "../" ||
191 |         value[0] === "#" ||
192 |         value[0] === "/"
193 |       )
194 |     ) {
195 |       return "";
196 |     }
197 |   } else if (name === "background") {
198 |     // filter `background` attribute (maybe no use)
199 |     // `javascript:`
200 |     REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;
201 |     if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) {
202 |       return "";
203 |     }
204 |   } else if (name === "style") {
205 |     // `expression()`
206 |     REGEXP_DEFAULT_ON_TAG_ATTR_7.lastIndex = 0;
207 |     if (REGEXP_DEFAULT_ON_TAG_ATTR_7.test(value)) {
208 |       return "";
209 |     }
210 |     // `url()`
211 |     REGEXP_DEFAULT_ON_TAG_ATTR_8.lastIndex = 0;
212 |     if (REGEXP_DEFAULT_ON_TAG_ATTR_8.test(value)) {
213 |       REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;
214 |       if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) {
215 |         return "";
216 |       }
217 |     }
218 |     if (cssFilter !== false) {
219 |       cssFilter = cssFilter || defaultCSSFilter;
220 |       value = cssFilter.process(value);
221 |     }
222 |   }
223 | 
224 |   // escape `<>"` before returns
225 |   value = escapeAttrValue(value);
226 |   return value;
227 | }
228 | 
229 | // RegExp list
230 | var REGEXP_LT = /</g;
231 | var REGEXP_GT = />/g;
232 | var REGEXP_QUOTE = /"/g;
233 | var REGEXP_QUOTE_2 = /&quot;/g;
234 | var REGEXP_ATTR_VALUE_1 = /&#([a-zA-Z0-9]*);?/gim;
235 | var REGEXP_ATTR_VALUE_COLON = /&colon;?/gim;
236 | var REGEXP_ATTR_VALUE_NEWLINE = /&newline;?/gim;
237 | // var REGEXP_DEFAULT_ON_TAG_ATTR_3 = /\/\*|\*\//gm;
238 | var REGEXP_DEFAULT_ON_TAG_ATTR_4 =
239 |   /((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/gi;
240 | // var REGEXP_DEFAULT_ON_TAG_ATTR_5 = /^[\s"'`]*(d\s*a\s*t\s*a\s*)\:/gi;
241 | // var REGEXP_DEFAULT_ON_TAG_ATTR_6 = /^[\s"'`]*(d\s*a\s*t\s*a\s*)\:\s*image\//gi;
242 | var REGEXP_DEFAULT_ON_TAG_ATTR_7 =
243 |   /e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n\s*\(.*/gi;
244 | var REGEXP_DEFAULT_ON_TAG_ATTR_8 = /u\s*r\s*l\s*\(.*/gi;
245 | 
246 | /**
247 |  * escape double quote
248 |  *
249 |  * @param {String} str
250 |  * @return {String} str
251 |  */
252 | function escapeQuote(str) {
253 |   return str.replace(REGEXP_QUOTE, "&quot;");
254 | }
255 | 
256 | /**
257 |  * unescape double quote
258 |  *
259 |  * @param {String} str
260 |  * @return {String} str
261 |  */
262 | function unescapeQuote(str) {
263 |   return str.replace(REGEXP_QUOTE_2, '"');
264 | }
265 | 
266 | /**
267 |  * escape html entities
268 |  *
269 |  * @param {String} str
270 |  * @return {String}
271 |  */
272 | function escapeHtmlEntities(str) {
273 |   return str.replace(REGEXP_ATTR_VALUE_1, function replaceUnicode(str, code) {
274 |     return code[0] === "x" || code[0] === "X"
275 |       ? String.fromCharCode(parseInt(code.substr(1), 16))
276 |       : String.fromCharCode(parseInt(code, 10));
277 |   });
278 | }
279 | 
280 | /**
281 |  * escape html5 new danger entities
282 |  *
283 |  * @param {String} str
284 |  * @return {String}
285 |  */
286 | function escapeDangerHtml5Entities(str) {
287 |   return str
288 |     .replace(REGEXP_ATTR_VALUE_COLON, ":")
289 |     .replace(REGEXP_ATTR_VALUE_NEWLINE, " ");
290 | }
291 | 
292 | /**
293 |  * clear nonprintable characters
294 |  *
295 |  * @param {String} str
296 |  * @return {String}
297 |  */
298 | function clearNonPrintableCharacter(str) {
299 |   var str2 = "";
300 |   for (var i = 0, len = str.length; i < len; i++) {
301 |     str2 += str.charCodeAt(i) < 32 ? " " : str.charAt(i);
302 |   }
303 |   return _.trim(str2);
304 | }
305 | 
306 | /**
307 |  * get friendly attribute value
308 |  *
309 |  * @param {String} str
310 |  * @return {String}
311 |  */
312 | function friendlyAttrValue(str) {
313 |   str = unescapeQuote(str);
314 |   str = escapeHtmlEntities(str);
315 |   str = escapeDangerHtml5Entities(str);
316 |   str = clearNonPrintableCharacter(str);
317 |   return str;
318 | }
319 | 
320 | /**
321 |  * unescape attribute value
322 |  *
323 |  * @param {String} str
324 |  * @return {String}
325 |  */
326 | function escapeAttrValue(str) {
327 |   str = escapeQuote(str);
328 |   str = escapeHtml(str);
329 |   return str;
330 | }
331 | 
332 | /**
333 |  * `onIgnoreTag` function for removing all the tags that are not in whitelist
334 |  */
335 | function onIgnoreTagStripAll() {
336 |   return "";
337 | }
338 | 
339 | /**
340 |  * remove tag body
341 |  * specify a `tags` list, if the tag is not in the `tags` list then process by the specify function (optional)
342 |  *
343 |  * @param {array} tags
344 |  * @param {function} next
345 |  */
346 | function StripTagBody(tags, next) {
347 |   if (typeof next !== "function") {
348 |     next = function () {};
349 |   }
350 | 
351 |   var isRemoveAllTag = !Array.isArray(tags);
352 |   function isRemoveTag(tag) {
353 |     if (isRemoveAllTag) return true;
354 |     return _.indexOf(tags, tag) !== -1;
355 |   }
356 | 
357 |   var removeList = [];
358 |   var posStart = false;
359 | 
360 |   return {
361 |     onIgnoreTag: function (tag, html, options) {
362 |       if (isRemoveTag(tag)) {
363 |         if (options.isClosing) {
364 |           var ret = "[/removed]";
365 |           var end = options.position + ret.length;
366 |           removeList.push([
367 |             posStart !== false ? posStart : options.position,
368 |             end,
369 |           ]);
370 |           posStart = false;
371 |           return ret;
372 |         } else {
373 |           if (!posStart) {
374 |             posStart = options.position;
375 |           }
376 |           return "[removed]";
377 |         }
378 |       } else {
379 |         return next(tag, html, options);
380 |       }
381 |     },
382 |     remove: function (html) {
383 |       var rethtml = "";
384 |       var lastPos = 0;
385 |       _.forEach(removeList, function (pos) {
386 |         rethtml += html.slice(lastPos, pos[0]);
387 |         lastPos = pos[1];
388 |       });
389 |       rethtml += html.slice(lastPos);
390 |       return rethtml;
391 |     },
392 |   };
393 | }
394 | 
395 | /**
396 |  * remove html comments
397 |  *
398 |  * @param {String} html
399 |  * @return {String}
400 |  */
401 | function stripCommentTag(html) {
402 |   var retHtml = "";
403 |   var lastPos = 0;
404 |   while (lastPos < html.length) {
405 |     var i = html.indexOf("<!--", lastPos);
406 |     if (i === -1) {
407 |       retHtml += html.slice(lastPos);
408 |       break;
409 |     }
410 |     retHtml += html.slice(lastPos, i);
411 |     var j = html.indexOf("-->", i);
412 |     if (j === -1) {
413 |       break;
414 |     }
415 |     lastPos = j + 3;
416 |   }
417 |   return retHtml;
418 | }
419 | 
420 | /**
421 |  * remove invisible characters
422 |  *
423 |  * @param {String} html
424 |  * @return {String}
425 |  */
426 | function stripBlankChar(html) {
427 |   var chars = html.split("");
428 |   chars = chars.filter(function (char) {
429 |     var c = char.charCodeAt(0);
430 |     if (c === 127) return false;
431 |     if (c <= 31) {
432 |       if (c === 10 || c === 13) return true;
433 |       return false;
434 |     }
435 |     return true;
436 |   });
437 |   return chars.join("");
438 | }
439 | 
440 | exports.whiteList = getDefaultWhiteList();
441 | exports.getDefaultWhiteList = getDefaultWhiteList;
442 | exports.onTag = onTag;
443 | exports.onIgnoreTag = onIgnoreTag;
444 | exports.onTagAttr = onTagAttr;
445 | exports.onIgnoreTagAttr = onIgnoreTagAttr;
446 | exports.safeAttrValue = safeAttrValue;
447 | exports.escapeHtml = escapeHtml;
448 | exports.escapeQuote = escapeQuote;
449 | exports.unescapeQuote = unescapeQuote;
450 | exports.escapeHtmlEntities = escapeHtmlEntities;
451 | exports.escapeDangerHtml5Entities = escapeDangerHtml5Entities;
452 | exports.clearNonPrintableCharacter = clearNonPrintableCharacter;
453 | exports.friendlyAttrValue = friendlyAttrValue;
454 | exports.escapeAttrValue = escapeAttrValue;
455 | exports.onIgnoreTagStripAll = onIgnoreTagStripAll;
456 | exports.StripTagBody = StripTagBody;
457 | exports.stripCommentTag = stripCommentTag;
458 | exports.stripBlankChar = stripBlankChar;
459 | exports.attributeWrapSign = '"';
460 | exports.cssFilter = defaultCSSFilter;
461 | exports.getDefaultCSSWhiteList = getDefaultCSSWhiteList;
462 | 


--------------------------------------------------------------------------------
/lib/index.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * xss
 3 |  *
 4 |  * @author Zongmin Lei<leizongmin@gmail.com>
 5 |  */
 6 | 
 7 | var DEFAULT = require("./default");
 8 | var parser = require("./parser");
 9 | var FilterXSS = require("./xss");
10 | 
11 | /**
12 |  * filter xss function
13 |  *
14 |  * @param {String} html
15 |  * @param {Object} options { whiteList, onTag, onTagAttr, onIgnoreTag, onIgnoreTagAttr, safeAttrValue, escapeHtml }
16 |  * @return {String}
17 |  */
18 | function filterXSS(html, options) {
19 |   var xss = new FilterXSS(options);
20 |   return xss.process(html);
21 | }
22 | 
23 | exports = module.exports = filterXSS;
24 | exports.filterXSS = filterXSS;
25 | exports.FilterXSS = FilterXSS;
26 | 
27 | (function () {
28 |   for (var i in DEFAULT) {
29 |     exports[i] = DEFAULT[i];
30 |   }
31 |   for (var j in parser) {
32 |     exports[j] = parser[j];
33 |   }
34 | })();
35 | 
36 | // using `xss` on the browser, output `filterXSS` to the globals
37 | if (typeof window !== "undefined") {
38 |   window.filterXSS = module.exports;
39 | }
40 | 
41 | // using `xss` on the WebWorker, output `filterXSS` to the globals
42 | function isWorkerEnv() {
43 |   return (
44 |     typeof self !== "undefined" &&
45 |     typeof DedicatedWorkerGlobalScope !== "undefined" &&
46 |     self instanceof DedicatedWorkerGlobalScope
47 |   );
48 | }
49 | if (isWorkerEnv()) {
50 |   self.filterXSS = module.exports;
51 | }
52 | 


--------------------------------------------------------------------------------
/lib/parser.js:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * Simple HTML Parser
  3 |  *
  4 |  * @author Zongmin Lei<leizongmin@gmail.com>
  5 |  */
  6 | 
  7 | var _ = require("./util");
  8 | 
  9 | /**
 10 |  * get tag name
 11 |  *
 12 |  * @param {String} html e.g. '<a hef="#">'
 13 |  * @return {String}
 14 |  */
 15 | function getTagName(html) {
 16 |   var i = _.spaceIndex(html);
 17 |   var tagName;
 18 |   if (i === -1) {
 19 |     tagName = html.slice(1, -1);
 20 |   } else {
 21 |     tagName = html.slice(1, i + 1);
 22 |   }
 23 |   tagName = _.trim(tagName).toLowerCase();
 24 |   if (tagName.slice(0, 1) === "/") tagName = tagName.slice(1);
 25 |   if (tagName.slice(-1) === "/") tagName = tagName.slice(0, -1);
 26 |   return tagName;
 27 | }
 28 | 
 29 | /**
 30 |  * is close tag?
 31 |  *
 32 |  * @param {String} html 如：'<a hef="#">'
 33 |  * @return {Boolean}
 34 |  */
 35 | function isClosing(html) {
 36 |   return html.slice(0, 2) === "</";
 37 | }
 38 | 
 39 | /**
 40 |  * parse input html and returns processed html
 41 |  *
 42 |  * @param {String} html
 43 |  * @param {Function} onTag e.g. function (sourcePosition, position, tag, html, isClosing)
 44 |  * @param {Function} escapeHtml
 45 |  * @return {String}
 46 |  */
 47 | function parseTag(html, onTag, escapeHtml) {
 48 |   "use strict";
 49 | 
 50 |   var rethtml = "";
 51 |   var lastPos = 0;
 52 |   var tagStart = false;
 53 |   var quoteStart = false;
 54 |   var currentPos = 0;
 55 |   var len = html.length;
 56 |   var currentTagName = "";
 57 |   var currentHtml = "";
 58 | 
 59 |   chariterator: for (currentPos = 0; currentPos < len; currentPos++) {
 60 |     var c = html.charAt(currentPos);
 61 |     if (tagStart === false) {
 62 |       if (c === "<") {
 63 |         tagStart = currentPos;
 64 |         continue;
 65 |       }
 66 |     } else {
 67 |       if (quoteStart === false) {
 68 |         if (c === "<") {
 69 |           rethtml += escapeHtml(html.slice(lastPos, currentPos));
 70 |           tagStart = currentPos;
 71 |           lastPos = currentPos;
 72 |           continue;
 73 |         }
 74 |         if (c === ">" || currentPos === len - 1) {
 75 |           rethtml += escapeHtml(html.slice(lastPos, tagStart));
 76 |           currentHtml = html.slice(tagStart, currentPos + 1);
 77 |           currentTagName = getTagName(currentHtml);
 78 |           rethtml += onTag(
 79 |             tagStart,
 80 |             rethtml.length,
 81 |             currentTagName,
 82 |             currentHtml,
 83 |             isClosing(currentHtml)
 84 |           );
 85 |           lastPos = currentPos + 1;
 86 |           tagStart = false;
 87 |           continue;
 88 |         }
 89 |         if (c === '"' || c === "'") {
 90 |           var i = 1;
 91 |           var ic = html.charAt(currentPos - i);
 92 | 
 93 |           while (ic.trim() === "" || ic === "=") {
 94 |             if (ic === "=") {
 95 |               quoteStart = c;
 96 |               continue chariterator;
 97 |             }
 98 |             ic = html.charAt(currentPos - ++i);
 99 |           }
100 |         }
101 |       } else {
102 |         if (c === quoteStart) {
103 |           quoteStart = false;
104 |           continue;
105 |         }
106 |       }
107 |     }
108 |   }
109 |   if (lastPos < len) {
110 |     rethtml += escapeHtml(html.substr(lastPos));
111 |   }
112 | 
113 |   return rethtml;
114 | }
115 | 
116 | var REGEXP_ILLEGAL_ATTR_NAME = /[^a-zA-Z0-9\\_:.-]/gim;
117 | 
118 | /**
119 |  * parse input attributes and returns processed attributes
120 |  *
121 |  * @param {String} html e.g. `href="#" target="_blank"`
122 |  * @param {Function} onAttr e.g. `function (name, value)`
123 |  * @return {String}
124 |  */
125 | function parseAttr(html, onAttr) {
126 |   "use strict";
127 | 
128 |   var lastPos = 0;
129 |   var lastMarkPos = 0;
130 |   var retAttrs = [];
131 |   var tmpName = false;
132 |   var len = html.length;
133 | 
134 |   function addAttr(name, value) {
135 |     name = _.trim(name);
136 |     name = name.replace(REGEXP_ILLEGAL_ATTR_NAME, "").toLowerCase();
137 |     if (name.length < 1) return;
138 |     var ret = onAttr(name, value || "");
139 |     if (ret) retAttrs.push(ret);
140 |   }
141 | 
142 |   // 逐个分析字符
143 |   for (var i = 0; i < len; i++) {
144 |     var c = html.charAt(i);
145 |     var v, j;
146 |     if (tmpName === false && c === "=") {
147 |       tmpName = html.slice(lastPos, i);
148 |       lastPos = i + 1;
149 |       lastMarkPos = html.charAt(lastPos) === '"' || html.charAt(lastPos) === "'" ? lastPos : findNextQuotationMark(html, i + 1);
150 |       continue;
151 |     }
152 |     if (tmpName !== false) {
153 |       if (
154 |         i === lastMarkPos
155 |       ) {
156 |         j = html.indexOf(c, i + 1);
157 |         if (j === -1) {
158 |           break;
159 |         } else {
160 |           v = _.trim(html.slice(lastMarkPos + 1, j));
161 |           addAttr(tmpName, v);
162 |           tmpName = false;
163 |           i = j;
164 |           lastPos = i + 1;
165 |           continue;
166 |         }
167 |       }
168 |     }
169 |     if (/\s|\n|\t/.test(c)) {
170 |       html = html.replace(/\s|\n|\t/g, " ");
171 |       if (tmpName === false) {
172 |         j = findNextEqual(html, i);
173 |         if (j === -1) {
174 |           v = _.trim(html.slice(lastPos, i));
175 |           addAttr(v);
176 |           tmpName = false;
177 |           lastPos = i + 1;
178 |           continue;
179 |         } else {
180 |           i = j - 1;
181 |           continue;
182 |         }
183 |       } else {
184 |         j = findBeforeEqual(html, i - 1);
185 |         if (j === -1) {
186 |           v = _.trim(html.slice(lastPos, i));
187 |           v = stripQuoteWrap(v);
188 |           addAttr(tmpName, v);
189 |           tmpName = false;
190 |           lastPos = i + 1;
191 |           continue;
192 |         } else {
193 |           continue;
194 |         }
195 |       }
196 |     }
197 |   }
198 | 
199 |   if (lastPos < html.length) {
200 |     if (tmpName === false) {
201 |       addAttr(html.slice(lastPos));
202 |     } else {
203 |       addAttr(tmpName, stripQuoteWrap(_.trim(html.slice(lastPos))));
204 |     }
205 |   }
206 | 
207 |   return _.trim(retAttrs.join(" "));
208 | }
209 | 
210 | function findNextEqual(str, i) {
211 |   for (; i < str.length; i++) {
212 |     var c = str[i];
213 |     if (c === " ") continue;
214 |     if (c === "=") return i;
215 |     return -1;
216 |   }
217 | }
218 | 
219 | function findNextQuotationMark(str, i) {
220 |   for (; i < str.length; i++) {
221 |     var c = str[i];
222 |     if (c === " ") continue;
223 |     if (c === "'" || c === '"') return i;
224 |     return -1;
225 |   }
226 | }
227 | 
228 | function findBeforeEqual(str, i) {
229 |   for (; i > 0; i--) {
230 |     var c = str[i];
231 |     if (c === " ") continue;
232 |     if (c === "=") return i;
233 |     return -1;
234 |   }
235 | }
236 | 
237 | function isQuoteWrapString(text) {
238 |   if (
239 |     (text[0] === '"' && text[text.length - 1] === '"') ||
240 |     (text[0] === "'" && text[text.length - 1] === "'")
241 |   ) {
242 |     return true;
243 |   } else {
244 |     return false;
245 |   }
246 | }
247 | 
248 | function stripQuoteWrap(text) {
249 |   if (isQuoteWrapString(text)) {
250 |     return text.substr(1, text.length - 2);
251 |   } else {
252 |     return text;
253 |   }
254 | }
255 | 
256 | exports.parseTag = parseTag;
257 | exports.parseAttr = parseAttr;
258 | 


--------------------------------------------------------------------------------
/lib/util.js:
--------------------------------------------------------------------------------
 1 | module.exports = {
 2 |   indexOf: function (arr, item) {
 3 |     var i, j;
 4 |     if (Array.prototype.indexOf) {
 5 |       return arr.indexOf(item);
 6 |     }
 7 |     for (i = 0, j = arr.length; i < j; i++) {
 8 |       if (arr[i] === item) {
 9 |         return i;
10 |       }
11 |     }
12 |     return -1;
13 |   },
14 |   forEach: function (arr, fn, scope) {
15 |     var i, j;
16 |     if (Array.prototype.forEach) {
17 |       return arr.forEach(fn, scope);
18 |     }
19 |     for (i = 0, j = arr.length; i < j; i++) {
20 |       fn.call(scope, arr[i], i, arr);
21 |     }
22 |   },
23 |   trim: function (str) {
24 |     if (String.prototype.trim) {
25 |       return str.trim();
26 |     }
27 |     return str.replace(/(^\s*)|(\s*$)/g, "");
28 |   },
29 |   spaceIndex: function (str) {
30 |     var reg = /\s|\n|\t/;
31 |     var match = reg.exec(str);
32 |     return match ? match.index : -1;
33 |   },
34 | };
35 | 


--------------------------------------------------------------------------------
/lib/xss.js:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * filter xss
  3 |  *
  4 |  * @author Zongmin Lei<leizongmin@gmail.com>
  5 |  */
  6 | 
  7 | var FilterCSS = require("cssfilter").FilterCSS;
  8 | var DEFAULT = require("./default");
  9 | var parser = require("./parser");
 10 | var parseTag = parser.parseTag;
 11 | var parseAttr = parser.parseAttr;
 12 | var _ = require("./util");
 13 | 
 14 | /**
 15 |  * returns `true` if the input value is `undefined` or `null`
 16 |  *
 17 |  * @param {Object} obj
 18 |  * @return {Boolean}
 19 |  */
 20 | function isNull(obj) {
 21 |   return obj === undefined || obj === null;
 22 | }
 23 | 
 24 | /**
 25 |  * get attributes for a tag
 26 |  *
 27 |  * @param {String} html
 28 |  * @return {Object}
 29 |  *   - {String} html
 30 |  *   - {Boolean} closing
 31 |  */
 32 | function getAttrs(html) {
 33 |   var i = _.spaceIndex(html);
 34 |   if (i === -1) {
 35 |     return {
 36 |       html: "",
 37 |       closing: html[html.length - 2] === "/",
 38 |     };
 39 |   }
 40 |   html = _.trim(html.slice(i + 1, -1));
 41 |   var isClosing = html[html.length - 1] === "/";
 42 |   if (isClosing) html = _.trim(html.slice(0, -1));
 43 |   return {
 44 |     html: html,
 45 |     closing: isClosing,
 46 |   };
 47 | }
 48 | 
 49 | /**
 50 |  * shallow copy
 51 |  *
 52 |  * @param {Object} obj
 53 |  * @return {Object}
 54 |  */
 55 | function shallowCopyObject(obj) {
 56 |   var ret = {};
 57 |   for (var i in obj) {
 58 |     ret[i] = obj[i];
 59 |   }
 60 |   return ret;
 61 | }
 62 | 
 63 | function keysToLowerCase(obj) {
 64 |   var ret = {};
 65 |   for (var i in obj) {
 66 |     if (Array.isArray(obj[i])) {
 67 |       ret[i.toLowerCase()] = obj[i].map(function (item) {
 68 |         return item.toLowerCase();
 69 |       });
 70 |     } else {
 71 |       ret[i.toLowerCase()] = obj[i];
 72 |     }
 73 |   }
 74 |   return ret;
 75 | }
 76 | 
 77 | /**
 78 |  * FilterXSS class
 79 |  *
 80 |  * @param {Object} options
 81 |  *        whiteList (or allowList), onTag, onTagAttr, onIgnoreTag,
 82 |  *        onIgnoreTagAttr, safeAttrValue, escapeHtml
 83 |  *        stripIgnoreTagBody, allowCommentTag, stripBlankChar
 84 |  *        css{whiteList, onAttr, onIgnoreAttr} `css=false` means don't use `cssfilter`
 85 |  */
 86 | function FilterXSS(options) {
 87 |   options = shallowCopyObject(options || {});
 88 | 
 89 |   if (options.stripIgnoreTag) {
 90 |     if (options.onIgnoreTag) {
 91 |       console.error(
 92 |         'Notes: cannot use these two options "stripIgnoreTag" and "onIgnoreTag" at the same time'
 93 |       );
 94 |     }
 95 |     options.onIgnoreTag = DEFAULT.onIgnoreTagStripAll;
 96 |   }
 97 |   if (options.whiteList || options.allowList) {
 98 |     options.whiteList = keysToLowerCase(options.whiteList || options.allowList);
 99 |   } else {
100 |     options.whiteList = DEFAULT.whiteList;
101 |   }
102 | 
103 |   this.attributeWrapSign = options.singleQuotedAttributeValue === true ? "'" : DEFAULT.attributeWrapSign;
104 | 
105 |   options.onTag = options.onTag || DEFAULT.onTag;
106 |   options.onTagAttr = options.onTagAttr || DEFAULT.onTagAttr;
107 |   options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag;
108 |   options.onIgnoreTagAttr = options.onIgnoreTagAttr || DEFAULT.onIgnoreTagAttr;
109 |   options.safeAttrValue = options.safeAttrValue || DEFAULT.safeAttrValue;
110 |   options.escapeHtml = options.escapeHtml || DEFAULT.escapeHtml;
111 |   this.options = options;
112 | 
113 |   if (options.css === false) {
114 |     this.cssFilter = false;
115 |   } else {
116 |     options.css = options.css || {};
117 |     this.cssFilter = new FilterCSS(options.css);
118 |   }
119 | }
120 | 
121 | /**
122 |  * start process and returns result
123 |  *
124 |  * @param {String} html
125 |  * @return {String}
126 |  */
127 | FilterXSS.prototype.process = function (html) {
128 |   // compatible with the input
129 |   html = html || "";
130 |   html = html.toString();
131 |   if (!html) return "";
132 | 
133 |   var me = this;
134 |   var options = me.options;
135 |   var whiteList = options.whiteList;
136 |   var onTag = options.onTag;
137 |   var onIgnoreTag = options.onIgnoreTag;
138 |   var onTagAttr = options.onTagAttr;
139 |   var onIgnoreTagAttr = options.onIgnoreTagAttr;
140 |   var safeAttrValue = options.safeAttrValue;
141 |   var escapeHtml = options.escapeHtml;
142 |   var attributeWrapSign = me.attributeWrapSign;
143 |   var cssFilter = me.cssFilter;
144 | 
145 |   // remove invisible characters
146 |   if (options.stripBlankChar) {
147 |     html = DEFAULT.stripBlankChar(html);
148 |   }
149 | 
150 |   // remove html comments
151 |   if (!options.allowCommentTag) {
152 |     html = DEFAULT.stripCommentTag(html);
153 |   }
154 | 
155 |   // if enable stripIgnoreTagBody
156 |   var stripIgnoreTagBody = false;
157 |   if (options.stripIgnoreTagBody) {
158 |     stripIgnoreTagBody = DEFAULT.StripTagBody(
159 |       options.stripIgnoreTagBody,
160 |       onIgnoreTag
161 |     );
162 |     onIgnoreTag = stripIgnoreTagBody.onIgnoreTag;
163 |   }
164 | 
165 |   var retHtml = parseTag(
166 |     html,
167 |     function (sourcePosition, position, tag, html, isClosing) {
168 |       var info = {
169 |         sourcePosition: sourcePosition,
170 |         position: position,
171 |         isClosing: isClosing,
172 |         isWhite: Object.prototype.hasOwnProperty.call(whiteList, tag),
173 |       };
174 | 
175 |       // call `onTag()`
176 |       var ret = onTag(tag, html, info);
177 |       if (!isNull(ret)) return ret;
178 | 
179 |       if (info.isWhite) {
180 |         if (info.isClosing) {
181 |           return "</" + tag + ">";
182 |         }
183 | 
184 |         var attrs = getAttrs(html);
185 |         var whiteAttrList = whiteList[tag];
186 |         var attrsHtml = parseAttr(attrs.html, function (name, value) {
187 |           // call `onTagAttr()`
188 |           var isWhiteAttr = _.indexOf(whiteAttrList, name) !== -1;
189 |           var ret = onTagAttr(tag, name, value, isWhiteAttr);
190 |           if (!isNull(ret)) return ret;
191 | 
192 |           if (isWhiteAttr) {
193 |             // call `safeAttrValue()`
194 |             value = safeAttrValue(tag, name, value, cssFilter);
195 |             if (value) {
196 |               return name + '=' + attributeWrapSign + value + attributeWrapSign;
197 |             } else {
198 |               return name;
199 |             }
200 |           } else {
201 |             // call `onIgnoreTagAttr()`
202 |             ret = onIgnoreTagAttr(tag, name, value, isWhiteAttr);
203 |             if (!isNull(ret)) return ret;
204 |             return;
205 |           }
206 |         });
207 | 
208 |         // build new tag html
209 |         html = "<" + tag;
210 |         if (attrsHtml) html += " " + attrsHtml;
211 |         if (attrs.closing) html += " /";
212 |         html += ">";
213 |         return html;
214 |       } else {
215 |         // call `onIgnoreTag()`
216 |         ret = onIgnoreTag(tag, html, info);
217 |         if (!isNull(ret)) return ret;
218 |         return escapeHtml(html);
219 |       }
220 |     },
221 |     escapeHtml
222 |   );
223 | 
224 |   // if enable stripIgnoreTagBody
225 |   if (stripIgnoreTagBody) {
226 |     retHtml = stripIgnoreTagBody.remove(retHtml);
227 |   }
228 | 
229 |   return retHtml;
230 | };
231 | 
232 | module.exports = FilterXSS;
233 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "xss",
 3 |   "main": "./lib/index.js",
 4 |   "typings": "./typings/xss.d.ts",
 5 |   "version": "1.0.15",
 6 |   "description": "Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist",
 7 |   "author": "Zongmin Lei <leizongmin@gmail.com> (http://ucdok.com)",
 8 |   "repository": {
 9 |     "type": "git",
10 |     "url": "git://github.com/leizongmin/js-xss.git"
11 |   },
12 |   "engines": {
13 |     "node": ">= 0.10.0"
14 |   },
15 |   "dependencies": {
16 |     "commander": "^2.20.3",
17 |     "cssfilter": "0.0.10"
18 |   },
19 |   "devDependencies": {
20 |     "browserify": "^17.0.0",
21 |     "coveralls": "^3.1.1",
22 |     "debug": "^4.3.4",
23 |     "eslint": "^8.16.0",
24 |     "mocha": "^8.4.0",
25 |     "nyc": "^15.1.0",
26 |     "uglify-js": "^3.15.5"
27 |   },
28 |   "files": [
29 |     "lib",
30 |     "bin/xss",
31 |     "dist",
32 |     "typings/*.d.ts"
33 |   ],
34 |   "bin": {
35 |     "xss": "./bin/xss"
36 |   },
37 |   "scripts": {
38 |     "lint": "eslint lib/**",
39 |     "test": "export DEBUG=xss:* && mocha -t 5000",
40 |     "test-cov": "nyc --reporter=lcov mocha --exit \"test/*.js\" && nyc report",
41 |     "coveralls": "cat ./coverage/lcov.info | ./node_modules/coveralls/bin/coveralls.js",
42 |     "build": "./bin/build",
43 |     "prepublish": "npm run test && npm run build"
44 |   },
45 |   "license": "MIT",
46 |   "bugs": {
47 |     "url": "https://github.com/leizongmin/js-xss/issues"
48 |   },
49 |   "homepage": "https://github.com/leizongmin/js-xss",
50 |   "keywords": [
51 |     "sanitization",
52 |     "xss",
53 |     "sanitize",
54 |     "sanitisation",
55 |     "input",
56 |     "security",
57 |     "escape",
58 |     "encode",
59 |     "filter",
60 |     "validator",
61 |     "html",
62 |     "injection",
63 |     "whitelist"
64 |   ]
65 | }
66 | 


--------------------------------------------------------------------------------
/test/test_custom_method.js:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * tests for custom method
  3 |  *
  4 |  * @author Zongmin Lei<leizongmin@gmail.com>
  5 |  */
  6 | 
  7 | var assert = require("assert");
  8 | var xss = require("../");
  9 | var debug = require("debug")("xss:test");
 10 | 
 11 | describe("test custom XSS method", function() {
 12 |   it("#onTag - match tag", function() {
 13 |     var source = 'dd<a href="#"><b><c>haha</c></b></a><br>ff';
 14 |     var i = 0;
 15 |     var html = xss(source, {
 16 |       onTag: function(tag, html, options) {
 17 |         debug(arguments);
 18 |         i++;
 19 |         if (i === 1) {
 20 |           assert.equal(tag, "a");
 21 |           assert.equal(html, '<a href="#">');
 22 |           assert.equal(options.isClosing, false);
 23 |           assert.equal(options.position, 2);
 24 |           assert.equal(options.sourcePosition, 2);
 25 |           assert.equal(options.isWhite, true);
 26 |         } else if (i === 2) {
 27 |           assert.equal(tag, "b");
 28 |           assert.equal(html, "<b>");
 29 |           assert.equal(options.isClosing, false);
 30 |           assert.equal(options.position, 14);
 31 |           assert.equal(options.sourcePosition, 14);
 32 |           assert.equal(options.isWhite, true);
 33 |         } else if (i === 3) {
 34 |           assert.equal(tag, "c");
 35 |           assert.equal(html, "<c>");
 36 |           assert.equal(options.isClosing, false);
 37 |           assert.equal(options.position, 17);
 38 |           assert.equal(options.sourcePosition, 17);
 39 |           assert.equal(options.isWhite, false);
 40 |         } else if (i === 4) {
 41 |           assert.equal(tag, "c");
 42 |           assert.equal(html, "</c>");
 43 |           assert.equal(options.isClosing, true);
 44 |           assert.equal(options.position, 30);
 45 |           assert.equal(options.sourcePosition, 24);
 46 |           assert.equal(options.isWhite, false);
 47 |         } else if (i === 5) {
 48 |           assert.equal(tag, "b");
 49 |           assert.equal(html, "</b>");
 50 |           assert.equal(options.isClosing, true);
 51 |           assert.equal(options.position, 40);
 52 |           assert.equal(options.sourcePosition, 28);
 53 |           assert.equal(options.isWhite, true);
 54 |         } else if (i === 6) {
 55 |           assert.equal(tag, "a");
 56 |           assert.equal(html, "</a>");
 57 |           assert.equal(options.isClosing, true);
 58 |           assert.equal(options.position, 44);
 59 |           assert.equal(options.sourcePosition, 32);
 60 |           assert.equal(options.isWhite, true);
 61 |         } else if (i === 7) {
 62 |           assert.equal(tag, "br");
 63 |           assert.equal(html, "<br>");
 64 |           assert.equal(options.isClosing, false);
 65 |           assert.equal(options.position, 48);
 66 |           assert.equal(options.sourcePosition, 36);
 67 |           assert.equal(options.isWhite, true);
 68 |         } else {
 69 |           throw new Error();
 70 |         }
 71 |       }
 72 |     });
 73 |     debug(html);
 74 |     assert.equal(
 75 |       html,
 76 |       'dd<a href="#"><b>&lt;c&gt;haha&lt;/c&gt;</b></a><br>ff'
 77 |     );
 78 |   });
 79 | 
 80 |   it("#onTag - return new html", function() {
 81 |     var source = 'dd<a href="#"><b><c>haha</c></b></a><br>ff';
 82 |     var i = 0;
 83 |     var html = xss(source, {
 84 |       onTag: function(tag, html, options) {
 85 |         debug(html);
 86 |         return html;
 87 |       }
 88 |     });
 89 |     debug(html);
 90 |     assert.equal(html, source);
 91 |   });
 92 | 
 93 |   it("#onIgnoreTag - match tag", function() {
 94 |     var source = 'dd<a href="#"><b><c>haha</c></b></a><br>ff';
 95 |     var i = 0;
 96 |     var html = xss(source, {
 97 |       onIgnoreTag: function(tag, html, options) {
 98 |         debug(arguments);
 99 |         i++;
100 |         if (i === 1) {
101 |           assert.equal(tag, "c");
102 |           assert.equal(html, "<c>");
103 |           assert.equal(options.isClosing, false);
104 |           assert.equal(options.position, 17);
105 |           assert.equal(options.sourcePosition, 17);
106 |           assert.equal(options.isWhite, false);
107 |         } else if (i === 2) {
108 |           assert.equal(tag, "c");
109 |           assert.equal(html, "</c>");
110 |           assert.equal(options.isClosing, true);
111 |           assert.equal(options.position, 30);
112 |           assert.equal(options.sourcePosition, 24);
113 |           assert.equal(options.isWhite, false);
114 |         } else {
115 |           throw new Error();
116 |         }
117 |       }
118 |     });
119 |     debug(html);
120 |     assert.equal(
121 |       html,
122 |       'dd<a href="#"><b>&lt;c&gt;haha&lt;/c&gt;</b></a><br>ff'
123 |     );
124 |   });
125 | 
126 |   it("#onIgnoreTag - return new html", function() {
127 |     var source = 'dd<a href="#"><b><c>haha</c></b></a><br>ff';
128 |     var i = 0;
129 |     var html = xss(source, {
130 |       onIgnoreTag: function(tag, html, options) {
131 |         debug(html);
132 |         return "[" + (options.isClosing ? "/" : "") + "removed]";
133 |       }
134 |     });
135 |     debug(html);
136 |     assert.equal(
137 |       html,
138 |       'dd<a href="#"><b>[removed]haha[/removed]</b></a><br>ff'
139 |     );
140 |   });
141 | 
142 |   it("#onTagAttr - match attr", function() {
143 |     var source =
144 |       '<a href="#" target="_blank" checked data-a="b">hi</a href="d">';
145 |     var i = 0;
146 |     var html = xss(source, {
147 |       onTagAttr: function(tag, name, value, isWhiteAttr) {
148 |         debug(arguments);
149 |         assert.equal(tag, "a");
150 |         i++;
151 |         if (i === 1) {
152 |           assert.equal(name, "href");
153 |           assert.equal(value, "#");
154 |           assert.equal(isWhiteAttr, true);
155 |         } else if (i === 2) {
156 |           assert.equal(name, "target");
157 |           assert.equal(value, "_blank");
158 |           assert.equal(isWhiteAttr, true);
159 |         } else if (i === 3) {
160 |           assert.equal(name, "checked");
161 |           assert.equal(value, "");
162 |           assert.equal(isWhiteAttr, false);
163 |         } else if (i === 4) {
164 |           assert.equal(name, "data-a");
165 |           assert.equal(value, "b");
166 |           assert.equal(isWhiteAttr, false);
167 |         } else {
168 |           throw new Error();
169 |         }
170 |       }
171 |     });
172 |     debug(html);
173 |     assert.equal(html, '<a href="#" target="_blank">hi</a>');
174 |   });
175 | 
176 |   it("#onTagAttr - match attr", function() {
177 |     var source =
178 |       '<a href="#" target="_blank" checked data-a="b">hi</a href="d">';
179 |     var i = 0;
180 |     var html = xss(source, {
181 |       onTagAttr: function(tag, name, value, isWhiteAttr) {
182 |         debug(arguments);
183 |         return "$" + name + "$";
184 |       }
185 |     });
186 |     debug(html);
187 |     assert.equal(html, "<a $href$ $target$ $checked$ $data-a$>hi</a>");
188 |   });
189 | 
190 |   it("#onIgnoreTagAttr - match attr", function() {
191 |     var source =
192 |       '<a href="#" target="_blank" checked data-a="b">hi</a href="d">';
193 |     var i = 0;
194 |     var html = xss(source, {
195 |       onIgnoreTagAttr: function(tag, name, value, isWhiteAttr) {
196 |         debug(arguments);
197 |         assert.equal(tag, "a");
198 |         i++;
199 |         if (i === 1) {
200 |           assert.equal(name, "checked");
201 |           assert.equal(value, "");
202 |           assert.equal(isWhiteAttr, false);
203 |         } else if (i === 2) {
204 |           assert.equal(name, "data-a");
205 |           assert.equal(value, "b");
206 |           assert.equal(isWhiteAttr, false);
207 |         } else {
208 |           throw new Error();
209 |         }
210 |       }
211 |     });
212 |     debug(html);
213 |     assert.equal(html, '<a href="#" target="_blank">hi</a>');
214 |   });
215 | 
216 |   it("#onIgnoreTagAttr - match attr", function() {
217 |     var source =
218 |       '<a href="#" target="_blank" checked data-a="b">hi</a href="d">';
219 |     var i = 0;
220 |     var html = xss(source, {
221 |       onIgnoreTagAttr: function(tag, name, value, isWhiteAttr) {
222 |         debug(arguments);
223 |         return "$" + name + "$";
224 |       }
225 |     });
226 |     debug(html);
227 |     assert.equal(html, '<a href="#" target="_blank" $checked$ $data-a$>hi</a>');
228 |   });
229 | 
230 |   it("#escapeHtml - default", function() {
231 |     var source = "<x>yy</x><a>bb</a>";
232 |     var html = xss(source);
233 |     debug(html);
234 |     assert.equal(html, "&lt;x&gt;yy&lt;/x&gt;<a>bb</a>");
235 |   });
236 | 
237 |   it("#escapeHtml - return new value", function() {
238 |     var source = "<x>yy</x><a>bb</a>";
239 |     var html = xss(source, {
240 |       escapeHtml: function(str) {
241 |         return str ? "[" + str + "]" : str;
242 |       }
243 |     });
244 |     debug(html);
245 |     assert.equal(html, "[<x>][yy][</x>]<a>[bb]</a>");
246 |   });
247 | 
248 |   it("#safeAttrValue - default", function() {
249 |     var source = '<a href="javascript:alert(/xss/)" title="hi">link</a>';
250 |     var html = xss(source);
251 |     debug(html);
252 |     assert.equal(html, '<a href title="hi">link</a>');
253 |   });
254 | 
255 |   it("#safeAttrValue - return new value", function() {
256 |     var source = '<a href="javascript:alert(/xss/)" title="hi">link</a>';
257 |     var html = xss(source, {
258 |       safeAttrValue: function(tag, name, value) {
259 |         debug(arguments);
260 |         assert.equal(tag, "a");
261 |         return "$" + name + "$";
262 |       }
263 |     });
264 |     debug(html);
265 |     assert.equal(html, '<a href="$href$" title="$title$">link</a>');
266 |   });
267 | 
268 |   it("#stripIgnoreTag", function() {
269 |     var source = "<x>yy</x><a>bb</a>";
270 |     var html = xss(source, {
271 |       stripIgnoreTag: true
272 |     });
273 |     debug(html);
274 |     assert.equal(html, "yy<a>bb</a>");
275 |   });
276 | 
277 |   it("#stripTagBody - true", function() {
278 |     var source = "<a>link</a><x>haha</x><y>a<y></y>b</y>k";
279 |     var html = xss(source, {
280 |       stripIgnoreTagBody: true
281 |     });
282 |     debug(html);
283 |     assert.equal(html, "<a>link</a>bk");
284 |   });
285 | 
286 |   it("#stripIgnoreTagBody - *", function() {
287 |     var source = "<a>link</a><x>haha</x><y>a<y></y>b</y>k";
288 |     var html = xss(source, {
289 |       stripIgnoreTagBody: "*"
290 |     });
291 |     debug(html);
292 |     assert.equal(html, "<a>link</a>bk");
293 |   });
294 | 
295 |   it("#stripIgnoreTagBody - ['x']", function() {
296 |     var source = "<a>link</a><x>haha</x><y>a<y></y>b</y>k";
297 |     var html = xss(source, {
298 |       stripIgnoreTagBody: ["x"]
299 |     });
300 |     debug(html);
301 |     assert.equal(html, "<a>link</a>&lt;y&gt;a&lt;y&gt;&lt;/y&gt;b&lt;/y&gt;k");
302 |   });
303 | 
304 |   it("#stripIgnoreTagBody - ['x'] & onIgnoreTag", function() {
305 |     var source = "<a>link</a><x>haha</x><y>a<y></y>b</y>k";
306 |     var html = xss(source, {
307 |       stripIgnoreTagBody: ["x"],
308 |       onIgnoreTag: function(tag, html, options) {
309 |         return "$" + tag + "$";
310 |       }
311 |     });
312 |     debug(html);
313 |     assert.equal(html, "<a>link</a>$y$a$y$$y$b$y$k");
314 |   });
315 | 
316 |   it("#stripIgnoreTag & stripIgnoreTagBody", function() {
317 |     var source = "<scri" + "pt>alert(/xss/);</scri" + "pt>";
318 |     var html = xss(source, {
319 |       stripIgnoreTag: true,
320 |       stripIgnoreTagBody: ["script"]
321 |     });
322 |     debug(html);
323 |     assert.equal(html, "");
324 |   });
325 | 
326 |   it("#stripIgnoreTag & stripIgnoreTagBody - 2", function() {
327 |     var source = "ooxx<scri" + "pt>alert(/xss/);</scri" + "pt>";
328 |     var html = xss(source, {
329 |       stripIgnoreTag: true,
330 |       stripIgnoreTagBody: ["script"]
331 |     });
332 |     debug(html);
333 |     assert.equal(html, "ooxx");
334 |   });
335 | 
336 |   it("cssFilter", function() {
337 |     var whiteList = xss.getDefaultWhiteList();
338 |     whiteList.div.push("style");
339 |     assert.equal(
340 |       xss('<div style="width: 50%; vertical-align: top;">hello</div>', {
341 |         whiteList: whiteList
342 |       }),
343 |       '<div style="width:50%;">hello</div>'
344 |     );
345 |     assert.equal(
346 |       xss('<div style="width: 50%; vertical-align: top;">hello</div>', {
347 |         whiteList: whiteList,
348 |         css: false
349 |       }),
350 |       '<div style="width: 50%; vertical-align: top;">hello</div>'
351 |     );
352 |     var css = { whiteList: xss.getDefaultCSSWhiteList() };
353 |     css.whiteList["vertical-align"] = true;
354 |     assert.equal(
355 |       xss('<div style="width: 50%; vertical-align: top;">hello</div>', {
356 |         whiteList: whiteList,
357 |         css: css
358 |       }),
359 |       '<div style="width:50%; vertical-align:top;">hello</div>'
360 |     );
361 |   });
362 | 
363 |   it("#onTag - sanitize html parameter space", function() {
364 |     var source = '<a target= " href="><script>alert(2)</script>"><span>';
365 |     var i = 0;
366 |     var html = xss(source, {
367 |       onTag: function(_, E, S) {
368 |         if (S.isWhite && "a" === _) {
369 |           if (S.isClosing) return "</span></a>";
370 |           return "".concat(E, '<span>');
371 |         }
372 |       }
373 |     });
374 |     debug(html);
375 |     assert.equal(html, '<a target= " href="><span>&lt;script&gt;alert(2)&lt;/script&gt;"&gt;<span>');
376 |   });
377 | 
378 |   it("#onTag - sanitize html parameter tab", function() {
379 |     var source = '<a target=	" href="><script>alert(2)</script>"><span>';
380 |     var i = 0;
381 |     var html = xss(source, {
382 |       onTag: function(_, E, S) {
383 |         if (S.isWhite && "a" === _) {
384 |           if (S.isClosing) return "</span></a>";
385 |           return "".concat(E, '<span>');
386 |         }
387 |       }
388 |     });
389 |     debug(html);
390 |     assert.equal(html, '<a target=	" href="><span>&lt;script&gt;alert(2)&lt;/script&gt;"&gt;<span>');
391 |   });
392 | });
393 | 


--------------------------------------------------------------------------------
/test/test_default.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * tests for default options
 3 |  *
 4 |  * @author Zongmin Lei<leizongmin@gmail.com>
 5 |  */
 6 | 
 7 | var assert = require("assert");
 8 | var _default = require("../lib/default");
 9 | var debug = require("debug")("xss:test");
10 | 
11 | function xss(html, options) {
12 |   debug(JSON.stringify(html));
13 |   var ret = _xss(html, options);
14 |   debug("\t" + JSON.stringify(ret));
15 |   return ret;
16 | }
17 | 
18 | describe("test default", function () {
19 |   it("#stripCommentTag", function () {
20 |     assert.equal(_default.stripCommentTag("<!-- hello -->"), "");
21 |     assert.equal(_default.stripCommentTag("<!--hello-->"), "");
22 |     assert.equal(_default.stripCommentTag("xx <!-- hello --> yy"), "xx  yy");
23 |     assert.equal(_default.stripCommentTag("xx<!--hello-->yy"), "xxyy");
24 |     assert.equal(
25 |       _default.stripCommentTag("<!-- <!-- <!-- hello --> --> -->"),
26 |       " --> -->"
27 |     );
28 |   });
29 | 
30 |   // it("#stripCommentTag benchmark", function () {
31 |   //   for (var i = 1; i <= 50000; i++) {
32 |   //     var time = Date.now();
33 |   //     var attack_str = "" + "<!--".repeat(i * 10000) + "-";
34 |   //     _default.stripCommentTag(attack_str);
35 |   //     var time_cost = Date.now() - time;
36 |   //     console.log(
37 |   //       "attack_str.length: " + attack_str.length + ": " + time_cost + " ms"
38 |   //     );
39 |   //   }
40 |   // });
41 | });
42 | 


--------------------------------------------------------------------------------
/test/test_html_parser.js:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * tests for html parser
  3 |  *
  4 |  * @author Zongmin Lei<leizongmin@gmail.com>
  5 |  */
  6 | 
  7 | var assert = require("assert");
  8 | var parser = require("../lib/parser");
  9 | var parseTag = parser.parseTag;
 10 | var parseAttr = parser.parseAttr;
 11 | var debug = require("debug")("xss:test");
 12 | 
 13 | describe("test HTML parser", function() {
 14 |   function escapeHtml(html) {
 15 |     return html.replace(/</g, "&lt;").replace(/>/g, "&gt;");
 16 |   }
 17 | 
 18 |   function attr(n, v) {
 19 |     if (v) {
 20 |       return n + '="' + v.replace(/"/g, "&quote;") + '"';
 21 |     } else {
 22 |       return n;
 23 |     }
 24 |   }
 25 | 
 26 |   it("#parseTag", function() {
 27 |     var i = 0;
 28 |     var html = parseTag(
 29 |       'hello<A href="#">www</A>ccc<b><br/>',
 30 |       function(sourcePosition, position, tag, html, isClosing) {
 31 |         i++;
 32 |         debug(arguments);
 33 |         if (i === 1) {
 34 |           // 第1个标签
 35 |           assert.equal(sourcePosition, 5);
 36 |           assert.equal(position, 5);
 37 |           assert.equal(tag, "a");
 38 |           assert.equal(html, '<A href="#">');
 39 |           assert.equal(isClosing, false);
 40 |           return "[link]";
 41 |         } else if (i === 2) {
 42 |           // 第2个标签
 43 |           assert.equal(sourcePosition, 20);
 44 |           assert.equal(position, 14);
 45 |           assert.equal(tag, "a");
 46 |           assert.equal(html, "</A>");
 47 |           assert.equal(isClosing, true);
 48 |           return "[/link]";
 49 |         } else if (i === 3) {
 50 |           // 第3个标签
 51 |           assert.equal(sourcePosition, 27);
 52 |           assert.equal(position, 24);
 53 |           assert.equal(tag, "b");
 54 |           assert.equal(html, "<b>");
 55 |           assert.equal(isClosing, false);
 56 |           return "[B]";
 57 |         } else if (i === 4) {
 58 |           // 第4个标签
 59 |           assert.equal(sourcePosition, 30);
 60 |           assert.equal(position, 27);
 61 |           assert.equal(tag, "br");
 62 |           assert.equal(html, "<br/>");
 63 |           assert.equal(isClosing, false);
 64 |           return "[BR]";
 65 |         } else {
 66 |           throw new Error();
 67 |         }
 68 |       },
 69 |       escapeHtml
 70 |     );
 71 |     debug(html);
 72 |     assert.equal(html, "hello[link]www[/link]ccc[B][BR]");
 73 |   });
 74 | 
 75 |   it("#parseAttr", function() {
 76 |     var i = 0;
 77 |     var html = parseAttr(
 78 |       'href="#"attr1=b attr2=c attr3 attr4=\'value4"\'attr5/ attr6\\" attr7= "123 456"',
 79 |       function(name, value) {
 80 |         i++;
 81 |         debug(arguments);
 82 |         if (i === 1) {
 83 |           assert.equal(name, "href");
 84 |           assert.equal(value, "#");
 85 |           return attr(name, value);
 86 |         } else if (i === 2) {
 87 |           assert.equal(name, "attr1");
 88 |           assert.equal(value, "b");
 89 |           return attr(name, value);
 90 |         } else if (i === 3) {
 91 |           assert.equal(name, "attr2");
 92 |           assert.equal(value, "c");
 93 |           return attr(name, value);
 94 |         } else if (i === 4) {
 95 |           assert.equal(name, "attr3");
 96 |           assert.equal(value, "");
 97 |           return attr(name, value);
 98 |         } else if (i === 5) {
 99 |           assert.equal(name, "attr4");
100 |           assert.equal(value, 'value4"');
101 |           return attr(name, value);
102 |         } else if (i === 6) {
103 |           assert.equal(name, "attr5");
104 |           assert.equal(value, "");
105 |           return attr(name, value);
106 |         } else if(i === 7) {
107 |           assert.equal(name, "attr6\\");
108 |           assert.equal(value, "");
109 |           return attr(name, value);
110 |         } else if(i === 8){
111 |           assert.equal(name , "attr7");
112 |           assert.equal(value , "123 456");
113 |           return attr(name, value);
114 |         }
115 |         else {
116 |           throw new Error();
117 |         }
118 |       }
119 |     );
120 |     debug(html);
121 |     assert.equal(
122 |       html,
123 |       'href="#" attr1="b" attr2="c" attr3 attr4="value4&quote;" attr5 attr6\\ attr7="123 456"'
124 |     );
125 |   });
126 | 
127 |   it("#parseTag & #parseAttr", function() {
128 |     var html = parseTag(
129 |       'hi:<a href="#"target=_blank title="this is a link" alt  = hello   class   = "hello2">link</a>',
130 |       function(sourcePosition, position, tag, html, isClosing) {
131 |         if (tag === "a") {
132 |           if (isClosing) return "</a>";
133 |           var attrhtml = parseAttr(html.slice(2, -1), function(name, value) {
134 |             if (name === "href" || name === "target" || name === "alt" || name === "class") {
135 |               return attr(name, value);
136 |             }
137 |           });
138 |           return "<a " + attrhtml + ">";
139 |         } else {
140 |           return escapeHtml(html);
141 |         }
142 |       },
143 |       escapeHtml
144 |     );
145 |     debug(html);
146 |     assert.equal(html, 'hi:<a href="#" target="_blank" alt="hello" class="hello2">link</a>');
147 |   });
148 | });
149 | 


--------------------------------------------------------------------------------
/test/test_xss.js:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * tests for xss() function
  3 |  *
  4 |  * @author Zongmin Lei<leizongmin@gmail.com>
  5 |  */
  6 | 
  7 | var assert = require("assert");
  8 | var _xss = require("../");
  9 | var debug = require("debug")("xss:test");
 10 | 
 11 | function xss(html, options) {
 12 |   debug(JSON.stringify(html));
 13 |   var ret = _xss(html, options);
 14 |   debug("\t" + JSON.stringify(ret));
 15 |   return ret;
 16 | }
 17 | 
 18 | describe("test XSS", function() {
 19 |   it("#normal", function() {
 20 |     // 兼容各种奇葩输入
 21 |     assert.equal(xss(), "");
 22 |     assert.equal(xss(null), "");
 23 |     assert.equal(xss(123), "123");
 24 |     assert.equal(xss({ a: 1111 }), "[object Object]");
 25 | 
 26 |     // 清除不可见字符
 27 |     assert.equal(
 28 |       xss("a\u0000\u0001\u0002\u0003\r\n b"),
 29 |       "a\u0000\u0001\u0002\u0003\r\n b"
 30 |     );
 31 |     assert.equal(
 32 |       xss("a\u0000\u0001\u0002\u0003\r\n b", { stripBlankChar: true }),
 33 |       "a\r\n b"
 34 |     );
 35 | 
 36 |     // 过滤不在白名单的标签
 37 |     assert.equal(xss("<b>abcd</b>"), "<b>abcd</b>");
 38 |     assert.equal(xss("<o>abcd</o>"), "&lt;o&gt;abcd&lt;/o&gt;");
 39 |     assert.equal(xss("<b>abcd</o>"), "<b>abcd&lt;/o&gt;");
 40 |     assert.equal(xss("<b><o>abcd</b></o>"), "<b>&lt;o&gt;abcd</b>&lt;/o&gt;");
 41 |     assert.equal(xss("<hr>"), "<hr>");
 42 |     assert.equal(xss("<xss>"), "&lt;xss&gt;");
 43 |     assert.equal(xss('<xss o="x">'), '&lt;xss o="x"&gt;');
 44 |     assert.equal(xss("<a><b>c</b></a>"), "<a><b>c</b></a>");
 45 |     assert.equal(xss("<a><c>b</c></a>"), "<a>&lt;c&gt;b&lt;/c&gt;</a>");
 46 | 
 47 |     // 过滤不是标签的<>
 48 |     assert.equal(xss("<>>"), "&lt;&gt;&gt;");
 49 |     assert.equal(xss("<scri" + "pt>"), "&lt;script&gt;");
 50 |     assert.equal(xss("<<a>b>"), "&lt;<a>b&gt;");
 51 |     assert.equal(xss("<<<a>>b</a><x>"), "&lt;&lt;<a>&gt;b</a>&lt;x&gt;");
 52 | 
 53 |     // 过滤不在白名单中的属性
 54 |     assert.equal(
 55 |       xss('<a oo="1" xx="2" title="3">yy</a>'),
 56 |       '<a title="3">yy</a>'
 57 |     );
 58 |     assert.equal(xss("<a title xx oo>pp</a>"), "<a title>pp</a>");
 59 |     assert.equal(xss('<a title "">pp</a>'), "<a title>pp</a>");
 60 |     assert.equal(xss('<a t="">'), "<a>");
 61 | 
 62 |     // 属性内的特殊字符
 63 |     assert.equal(xss('<a title="\'<<>>">'), '<a title="\'&lt;&lt;&gt;&gt;">');
 64 |     assert.equal(xss('<a title=""">'), "<a title>");
 65 |     assert.equal(xss('<a h=title="oo">'), "<a>");
 66 |     assert.equal(xss('<a h= title="oo">'), "<a>");
 67 |     assert.equal(
 68 |       xss('<a title="javascript&colonalert(/xss/)">'),
 69 |       '<a title="javascript:alert(/xss/)">'
 70 |     );
 71 |     assert.equal(
 72 |       xss('<a title"hell aa="fdfd title="ok">hello</a>'),
 73 |       "<a>hello</a>"
 74 |     );
 75 | 
 76 |     // 自动将属性值的单引号转为双引号
 77 |     assert.equal(xss("<a title='abcd'>"), '<a title="abcd">');
 78 |     assert.equal(xss("<a title='\"'>"), '<a title="&quot;">');
 79 | 
 80 |     // 没有双引号括起来的属性值
 81 |     assert.equal(xss("<a title=home>"), '<a title="home">');
 82 |     assert.equal(xss('<a title=abc("d")>'), '<a title="abc(&quot;d&quot;)">');
 83 |     assert.equal(xss("<a title=abc('d')>"), "<a title=\"abc('d')\">");
 84 | 
 85 |     // 单个闭合标签
 86 |     assert.equal(xss("<img src/>"), "<img src />");
 87 |     assert.equal(xss("<img src />"), "<img src />");
 88 |     assert.equal(xss("<img src//>"), "<img src />");
 89 |     assert.equal(xss("<br/>"), "<br />");
 90 |     assert.equal(xss("<br />"), "<br />");
 91 |     assert.equal(xss("<img src=x onerror=alert('XSS')"), "<img src>");
 92 | 
 93 |     // 畸形属性格式
 94 |     assert.equal(
 95 |       xss('<a target = "_blank" title ="bbb">'),
 96 |       '<a target="_blank" title="bbb">'
 97 |     );
 98 |     assert.equal(
 99 |       xss('<a target = "_blank" title =  title =  "bbb">'),
100 |       '<a target="_blank" title="title">'
101 |     );
102 |     assert.equal(
103 |       xss('<img width = 100    height     =200 title="xxx">'),
104 |       '<img width="100" height="200" title="xxx">'
105 |     );
106 |     assert.equal(
107 |       xss("<img width = 100    height     =200 title=xxx>"),
108 |       '<img width="100" height="200" title="xxx">'
109 |     );
110 |     assert.equal(
111 |       xss("<img width = 100    height     =200 title= xxx>"),
112 |       '<img width="100" height="200" title="xxx">'
113 |     );
114 |     assert.equal(
115 |       xss('<img width = 100    height     =200 title= "xxx">'),
116 |       '<img width="100" height="200" title="xxx">'
117 |     );
118 |     assert.equal(
119 |       xss("<img width = 100    height     =200 title= 'xxx'>"),
120 |       '<img width="100" height="200" title="xxx">'
121 |     );
122 |     assert.equal(
123 |       xss("<img width = 100    height     =200 title = 'xxx'>"),
124 |       '<img width="100" height="200" title="xxx">'
125 |     );
126 |     assert.equal(
127 |       xss('<img width = 100    height     =200 title= "xxx" no=yes alt="yyy">'),
128 |       '<img width="100" height="200" title="xxx" alt="yyy">'
129 |     );
130 |     assert.equal(
131 |       xss(
132 |         '<img width = 100    height     =200 title= "xxx" no=yes alt="\'yyy\'">'
133 |       ),
134 |       '<img width="100" height="200" title="xxx" alt="\'yyy\'">'
135 |     );
136 |     assert.equal(
137 |       xss(
138 |         '<img loading="lazy">'
139 |       ),
140 |       '<img loading="lazy">'
141 |     );
142 | 
143 |     // 使用Tab或换行符分隔的属性
144 |     assert.equal(
145 |       xss('<img width=100 height=200\nsrc="#"/>'),
146 |       '<img width="100" height="200" src="#" />'
147 |     );
148 |     assert.equal(
149 |       xss('<a\ttarget="_blank"\ntitle="bbb">'),
150 |       '<a target="_blank" title="bbb">'
151 |     );
152 |     assert.equal(
153 |       xss('<a\ntarget="_blank"\ttitle="bbb">'),
154 |       '<a target="_blank" title="bbb">'
155 |     );
156 |     assert.equal(
157 |       xss('<a\n\n\n\ttarget="_blank"\t\t\t\ntitle="bbb">'),
158 |       '<a target="_blank" title="bbb">'
159 |     );
160 |   });
161 | 
162 |   // 自定义白名单
163 |   it("#white list", function() {
164 |     // 过滤所有标签
165 |     assert.equal(
166 |       xss('<a title="xx">bb</a>', { whiteList: {} }),
167 |       '&lt;a title="xx"&gt;bb&lt;/a&gt;'
168 |     );
169 |     assert.equal(xss("<hr>", { whiteList: {} }), "&lt;hr&gt;");
170 |     // 增加白名单标签及属性
171 |     assert.equal(
172 |       xss('<ooxx yy="ok" cc="no">uu</ooxx>', { whiteList: { ooxx: ["yy"] } }),
173 |       '<ooxx yy="ok">uu</ooxx>'
174 |     );
175 |   });
176 | 
177 |   it("#allowList", function() {
178 |     // 过滤所有标签
179 |     assert.equal(
180 |       xss('<a title="xx">bb</a>', { allowList: {} }),
181 |       '&lt;a title="xx"&gt;bb&lt;/a&gt;'
182 |     );
183 |     assert.equal(xss("<hr>", { allowList: {} }), "&lt;hr&gt;");
184 |     // 增加白名单标签及属性
185 |     assert.equal(
186 |       xss('<ooxx yy="ok" cc="no">uu</ooxx>', { allowList: { ooxx: ["yy"] } }),
187 |       '<ooxx yy="ok">uu</ooxx>'
188 |     );
189 |   })
190 | 
191 |   // XSS攻击测试：https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
192 |   it("#XSS_Filter_Evasion_Cheat_Sheet", function() {
193 |     assert.equal(
194 |       xss(
195 |         "></SCRI" +
196 |           "PT>\">'><SCRI" +
197 |           "PT>alert(String.fromCharCode(88,83,83))</SCRI" +
198 |           "PT>"
199 |       ),
200 |       "&gt;&lt;/SCRIPT&gt;\"&gt;'&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;"
201 |     );
202 | 
203 |     assert.equal(xss(';!--"<XSS>=&{()}'), ';!--"&lt;XSS&gt;=&{()}');
204 | 
205 |     assert.equal(
206 |       xss("<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRI" + "PT>"),
207 |       "&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;"
208 |     );
209 | 
210 |     assert.equal(xss("<IMG SRC=\"javascript:alert('XSS');\">"), "<img src>");
211 | 
212 |     assert.equal(xss("<IMG SRC=javascript:alert('XSS')>"), "<img src>");
213 | 
214 |     assert.equal(xss("<IMG SRC=JaVaScRiPt:alert('XSS')>"), "<img src>");
215 | 
216 |     assert.equal(
217 |       xss("<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>"),
218 |       "<img src>"
219 |     );
220 | 
221 |     assert.equal(
222 |       xss('<IMG """><SCRI' + 'PT>alert("XSS")</SCRI' + 'PT>">'),
223 |       '<img>&lt;SCRIPT&gt;alert("XSS")&lt;/SCRIPT&gt;"&gt;'
224 |     );
225 | 
226 |     assert.equal(
227 |       xss("<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>"),
228 |       "<img src>"
229 |     );
230 | 
231 |     assert.equal(
232 |       xss(
233 |         "<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>"
234 |       ),
235 |       "<img src>"
236 |     );
237 | 
238 |     assert.equal(
239 |       xss(
240 |         "<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>"
241 |       ),
242 |       "<img src>"
243 |     );
244 | 
245 |     assert.equal(
246 |       xss(
247 |         "<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>"
248 |       ),
249 |       "<img src>"
250 |     );
251 | 
252 |     assert.equal(xss("<IMG SRC=\"jav ascript:alert('XSS');\">"), "<img src>");
253 | 
254 |     assert.equal(
255 |       xss("<IMG SRC=\"jav&#x09;ascript:alert('XSS');\">"),
256 |       "<img src>"
257 |     );
258 | 
259 |     assert.equal(xss("<IMG SRC=\"jav\nascript:alert('XSS');\">"), "<img src>");
260 | 
261 |     assert.equal(xss('<IMG SRC=java\0script:alert("XSS")>'), "<img src>");
262 | 
263 |     assert.equal(
264 |       xss("<IMG SRC=\" &#14;  javascript:alert('XSS');\">"),
265 |       "<img src>"
266 |     );
267 | 
268 |     assert.equal(
269 |       xss('<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRI' + "PT>"),
270 |       '&lt;SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"&gt;&lt;/SCRIPT&gt;'
271 |     );
272 | 
273 |     assert.equal(
274 |       xss('<BODY onload!#$%&()*~+-_.,:;?@[/|]^`=alert("XSS")>'),
275 |       '&lt;BODY onload!#$%&()*~+-_.,:;?@[/|]^`=alert("XSS")&gt;'
276 |     );
277 | 
278 |     assert.equal(
279 |       xss("<<SCRI" + 'PT>alert("XSS");//<</SCRI' + "PT>"),
280 |       '&lt;&lt;SCRIPT&gt;alert("XSS");//&lt;&lt;/SCRIPT&gt;'
281 |     );
282 | 
283 |     assert.equal(
284 |       xss("<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >"),
285 |       "&lt;SCRIPT SRC=http://ha.ckers.org/xss.js?&lt; B &gt;"
286 |     );
287 | 
288 |     assert.equal(
289 |       xss("<SCRIPT SRC=//ha.ckers.org/.j"),
290 |       "&lt;SCRIPT SRC=//ha.ckers.org/.j"
291 |     );
292 | 
293 |     assert.equal(
294 |       xss('<ſcript src="https://xss.haozi.me/j.js"></ſcript>'),
295 |       '&lt;ſcript src="https://xss.haozi.me/j.js"&gt;&lt;/ſcript&gt;'
296 |     );
297 | 
298 |     assert.equal(
299 |       xss("<IMG SRC=\"javascript:alert('XSS')\""),
300 |       "&lt;IMG SRC=\"javascript:alert('XSS')\""
301 |     );
302 | 
303 |     assert.equal(
304 |       xss("<iframe src=http://ha.ckers.org/scriptlet.html <"),
305 |       "&lt;iframe src=http://ha.ckers.org/scriptlet.html &lt;"
306 |     );
307 | 
308 |     // 过滤 javascript:
309 |     assert.equal(
310 |       xss("<a style=\"url('javascript:alert(1)')\">", {
311 |         whiteList: { a: ["style"] }
312 |       }),
313 |       "<a style>"
314 |     );
315 |     assert.equal(
316 |       xss("<td background=\"url('javascript:alert(1)')\">", {
317 |         whiteList: { td: ["background"] }
318 |       }),
319 |       "<td background>"
320 |     );
321 | 
322 |     // 过滤 style
323 |     assert.equal(
324 |       xss('<DIV STYLE="width: \nexpression(alert(1));">', {
325 |         whiteList: { div: ["style"] }
326 |       }),
327 |       "<div style>"
328 |     );
329 |     // 不正常的url
330 |     assert.equal(
331 |       xss('<DIV STYLE="background:\n url (javascript:ooxx);">', {
332 |         whiteList: { div: ["style"] }
333 |       }),
334 |       "<div style>"
335 |     );
336 |     assert.equal(
337 |       xss('<DIV STYLE="background:url (javascript:ooxx);">', {
338 |         whiteList: { div: ["style"] }
339 |       }),
340 |       "<div style>"
341 |     );
342 |     // 正常的url
343 |     assert.equal(
344 |       xss('<DIV STYLE="background: url (ooxx);">', {
345 |         whiteList: { div: ["style"] }
346 |       }),
347 |       '<div style="background:url (ooxx);">'
348 |     );
349 | 
350 |     assert.equal(xss("<IMG SRC='vbscript:msgbox(\"XSS\")'>"), "<img src>");
351 | 
352 |     assert.equal(xss('<IMG SRC="livescript:[code]">'), "<img src>");
353 | 
354 |     assert.equal(xss('<IMG SRC="mocha:[code]">'), "<img src>");
355 | 
356 |     assert.equal(xss("<a href=\"javas/**/cript:alert('XSS');\">"), "<a href>");
357 | 
358 |     assert.equal(xss('<a href="javascript">'), "<a href>");
359 |     assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
360 |     assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
361 |     assert.equal(xss('<a href="http://aa.com">'), '<a href="http://aa.com">');
362 |     assert.equal(xss('<a href="https://aa.com">'), '<a href="https://aa.com">');
363 |     assert.equal(
364 |       xss('<a href="mailto:me@ucdok.com">'),
365 |       '<a href="mailto:me@ucdok.com">'
366 |     );
367 |     assert.equal(xss('<a href="tel:0123456789">'), '<a href="tel:0123456789">');
368 |     assert.equal(xss('<a href="#hello">'), '<a href="#hello">');
369 |     assert.equal(xss('<a href="other">'), "<a href>");
370 | 
371 |     // 这个暂时不知道怎么处理
372 |     //assert.equal(xss('¼script¾alert(¢XSS¢)¼/script¾'), '');
373 | 
374 |     assert.equal(
375 |       xss(
376 |         "<!--[if gte IE 4]><SCRI" +
377 |           "PT>alert('XSS');</SCRI" +
378 |           "PT><![endif]--> END",
379 |         { allowCommentTag: true }
380 |       ),
381 |       "&lt;!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;&lt;![endif]--&gt; END"
382 |     );
383 |     assert.equal(
384 |       xss(
385 |         "<!--[if gte IE 4]><SCRI" +
386 |           "PT>alert('XSS');</SCRI" +
387 |           "PT><![endif]--> END"
388 |       ),
389 |       " END"
390 |     );
391 | 
392 |     // HTML5新增实体编码 冒号&colon; 换行&NewLine;
393 |     assert.equal(xss('<a href="javascript&colon;alert(/xss/)">'), "<a href>");
394 |     assert.equal(xss('<a href="javascript&colonalert(/xss/)">'), "<a href>");
395 |     assert.equal(xss('<a href="a&NewLine;b">'), "<a href>");
396 |     assert.equal(xss('<a href="a&NewLineb">'), "<a href>");
397 |     assert.equal(
398 |       xss('<a href="javasc&NewLine;ript&colon;alert(1)">'),
399 |       "<a href>"
400 |     );
401 | 
402 |     // data URI 协议过滤
403 |     assert.equal(xss('<a href="data:">'), "<a href>");
404 |     assert.equal(xss('<a href="d a t a : ">'), "<a href>");
405 |     assert.equal(xss('<a href="data: html/text;">'), "<a href>");
406 |     assert.equal(xss('<a href="data:html/text;">'), "<a href>");
407 |     assert.equal(xss('<a href="data:html /text;">'), "<a href>");
408 |     assert.equal(xss('<a href="data: image/text;">'), "<a href>");
409 |     assert.equal(xss('<img src="data: aaa/text;">'), "<img src>");
410 |     assert.equal(
411 |       xss('<img src="data:image/png; base64; ofdkofiodiofl">'),
412 |       '<img src="data:image/png; base64; ofdkofiodiofl">'
413 |     );
414 | 
415 |     // HTML备注处理
416 |     assert.equal(
417 |       xss("<!--                               -->", { allowCommentTag: false }),
418 |       ""
419 |     );
420 |     assert.equal(
421 |       xss("<!--      a           -->", { allowCommentTag: false }),
422 |       ""
423 |     );
424 |     assert.equal(xss("<!--sa       -->ss", { allowCommentTag: false }), "ss");
425 |     assert.equal(
426 |       xss("<!--                               ", { allowCommentTag: false }),
427 |       ""
428 |     );
429 |   });
430 | 
431 |   it("#singleQuotedAttributeValue", function() {
432 |     assert.equal(xss('<a title="xx">not-defined</a>'), '<a title="xx">not-defined</a>');
433 |     assert.equal(
434 |       xss('<a title="xx">single-quoted</a>', { singleQuotedAttributeValue: true }),
435 |       '<a title=\'xx\'>single-quoted</a>'
436 |     );
437 |     assert.equal(
438 |       xss('<a title="xx">double-quoted</a>', { singleQuotedAttributeValue: false }),
439 |       '<a title="xx">double-quoted</a>'
440 |     );
441 |     assert.equal(
442 |       xss('<a title="xx">invalid-value</a>', { singleQuotedAttributeValue: 'invalid' }),
443 |       '<a title="xx">invalid-value</a>'
444 |     );
445 |   })
446 | 
447 |   it("no options mutated", function() {
448 |     var options = {};
449 | 
450 |     var ret = xss("test", options);
451 |     // console.log(options);
452 |     assert.deepEqual(options, {});
453 | 
454 |     var ret2 = new _xss.FilterXSS(options);
455 |     // console.log(options);
456 |     assert.deepEqual(options, {});
457 |   });
458 | 
459 |   it("camel case tag names", function() {
460 |     assert.equal(xss('<animateTransform attributeName="transform"' +
461 |       'attributeType="XML"' +
462 |       'type="rotate"' +
463 |       'repeatCount="indefinite"/>', {
464 |       whiteList: {
465 |         animateTransform: ["attributeType", "repeatCount"]
466 |       }
467 |     }),
468 |       '<animatetransform attributetype="XML" repeatcount="indefinite" />');
469 |   });
470 | });
471 | 


--------------------------------------------------------------------------------
/typings/tsconfig.json:
--------------------------------------------------------------------------------
1 | {
2 |   "compilerOptions": {
3 |     "strictNullChecks": true,
4 |     "noImplicitAny": true,
5 |     "module": "commonjs",
6 |     "esModuleInterop": true
7 |   }
8 | }


--------------------------------------------------------------------------------
/typings/xss-default-import.ts:
--------------------------------------------------------------------------------
1 | /// <reference path="./xss.d.ts" />
2 | 
3 | import xss from "xss";
4 | 
5 | console.log(xss("<script>alert('xss');</script>"));
6 | 


--------------------------------------------------------------------------------
/typings/xss-other-tests.ts:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * xss typings test
 3 |  *
 4 |  * @author Zongmin Lei<leizongmin@gmail.com>
 5 |  */
 6 | 
 7 | interface ICustomWhiteList extends XSS.IWhiteList {
 8 |   view?: string[];
 9 | }
10 | 
11 | const options: XSS.IFilterXSSOptions = {};
12 | 


--------------------------------------------------------------------------------
/typings/xss-tests.ts:
--------------------------------------------------------------------------------
 1 | /// <reference path="./xss.d.ts" />
 2 | 
 3 | /**
 4 |  * xss typings test
 5 |  *
 6 |  * @author Zongmin Lei<leizongmin@gmail.com>
 7 |  */
 8 | 
 9 | import * as xss from "xss";
10 | 
11 | const x = new xss.FilterXSS();
12 | 
13 | x.process("html");
14 | 
15 | const a = xss.StripTagBody([], () => {});
16 | console.log(a.onIgnoreTag, a.remove);
17 | 
18 | console.log(xss.filterXSS("hello"));
19 | console.log(
20 |   xss.filterXSS("hello", {
21 |     onTag(tag: string, html: string, options: {}): string {
22 |       return html;
23 |     },
24 |     css: false,
25 |   })
26 | );
27 | 
28 | xss.filterXSS("hello");
29 | xss.filterXSS("hello", {
30 |   escapeHtml(str) {
31 |     return str.trim();
32 |   },
33 |   stripBlankChar: true,
34 |   onTag(tag, html, options) {
35 |     return html;
36 |   },
37 |   onIgnoreTag(tag, html) {},
38 | });
39 | 
40 | interface ICustomWhiteList extends XSS.IWhiteList {
41 |   view?: string[];
42 | }
43 | 
44 | const whiteList: ICustomWhiteList = xss.getDefaultWhiteList();
45 | console.log(whiteList.abbr);
46 | whiteList.view = ["class", "style", "id"];
47 | console.log(whiteList);
48 | 
49 | filterXSS("hello");
50 | 
51 | const options: XSS.IFilterXSSOptions = {};
52 | 


--------------------------------------------------------------------------------
/typings/xss.d.ts:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * xss
  3 |  *
  4 |  * @author Zongmin Lei<leizongmin@gmail.com>
  5 |  */
  6 | 
  7 | declare module "xss" {
  8 |   global {
  9 |     function filterXSS(html: string, options?: IFilterXSSOptions): string;
 10 | 
 11 |     namespace XSS {
 12 |       export interface IFilterXSSOptions {
 13 |         allowList?: IWhiteList;
 14 |         whiteList?: IWhiteList;
 15 |         onTag?: OnTagHandler;
 16 |         onTagAttr?: OnTagAttrHandler;
 17 |         onIgnoreTag?: OnTagHandler;
 18 |         onIgnoreTagAttr?: OnTagAttrHandler;
 19 |         safeAttrValue?: SafeAttrValueHandler;
 20 |         escapeHtml?: EscapeHandler;
 21 |         stripIgnoreTag?: boolean;
 22 |         stripIgnoreTagBody?: boolean | string[];
 23 |         allowCommentTag?: boolean;
 24 |         stripBlankChar?: boolean;
 25 |         singleQuotedAttributeValue?: boolean;
 26 |         css?: {} | boolean;
 27 |       }
 28 | 
 29 |       interface IWhiteList extends Record<string, string[] | undefined> {
 30 |         a?: string[];
 31 |         abbr?: string[];
 32 |         address?: string[];
 33 |         area?: string[];
 34 |         article?: string[];
 35 |         aside?: string[];
 36 |         audio?: string[];
 37 |         b?: string[];
 38 |         bdi?: string[];
 39 |         bdo?: string[];
 40 |         big?: string[];
 41 |         blockquote?: string[];
 42 |         br?: string[];
 43 |         caption?: string[];
 44 |         center?: string[];
 45 |         cite?: string[];
 46 |         code?: string[];
 47 |         col?: string[];
 48 |         colgroup?: string[];
 49 |         dd?: string[];
 50 |         del?: string[];
 51 |         details?: string[];
 52 |         div?: string[];
 53 |         dl?: string[];
 54 |         dt?: string[];
 55 |         em?: string[];
 56 |         figure?: string[];
 57 |         figcaption?: string[];
 58 |         font?: string[];
 59 |         footer?: string[];
 60 |         h1?: string[];
 61 |         h2?: string[];
 62 |         h3?: string[];
 63 |         h4?: string[];
 64 |         h5?: string[];
 65 |         h6?: string[];
 66 |         header?: string[];
 67 |         hr?: string[];
 68 |         i?: string[];
 69 |         img?: string[];
 70 |         ins?: string[];
 71 |         li?: string[];
 72 |         mark?: string[];
 73 |         nav?: string[];
 74 |         ol?: string[];
 75 |         p?: string[];
 76 |         pre?: string[];
 77 |         s?: string[];
 78 |         section?: string[];
 79 |         small?: string[];
 80 |         span?: string[];
 81 |         sub?: string[];
 82 |         sup?: string[];
 83 |         strong?: string[];
 84 |         strike?: string[];
 85 |         summary?: string[];
 86 |         table?: string[];
 87 |         tbody?: string[];
 88 |         td?: string[];
 89 |         tfoot?: string[];
 90 |         th?: string[];
 91 |         thead?: string[];
 92 |         tr?: string[];
 93 |         tt?: string[];
 94 |         u?: string[];
 95 |         ul?: string[];
 96 |         video?: string[];
 97 |       }
 98 | 
 99 |       type OnTagHandler = (
100 |         tag: string,
101 |         html: string,
102 |         options: {
103 |           sourcePosition?: number;
104 |           position?: number;
105 |           isClosing?: boolean;
106 |           isWhite?: boolean;
107 |         }
108 |       ) => string | void;
109 | 
110 |       type OnTagAttrHandler = (
111 |         tag: string,
112 |         name: string,
113 |         value: string,
114 |         isWhiteAttr: boolean
115 |       ) => string | void;
116 | 
117 |       type SafeAttrValueHandler = (
118 |         tag: string,
119 |         name: string,
120 |         value: string,
121 |         cssFilter: ICSSFilter
122 |       ) => string;
123 | 
124 |       type EscapeHandler = (str: string) => string;
125 | 
126 |       interface ICSSFilter {
127 |         process(value: string): string;
128 |       }
129 |     }
130 |   }
131 |   export interface IFilterXSSOptions extends XSS.IFilterXSSOptions {}
132 | 
133 |   export interface IWhiteList extends XSS.IWhiteList {}
134 | 
135 |   export type OnTagHandler = XSS.OnTagHandler;
136 | 
137 |   export type OnTagAttrHandler = XSS.OnTagAttrHandler;
138 | 
139 |   export type SafeAttrValueHandler = XSS.SafeAttrValueHandler;
140 | 
141 |   export type EscapeHandler = XSS.EscapeHandler;
142 | 
143 |   export interface ICSSFilter extends XSS.ICSSFilter {}
144 | 
145 |   export function StripTagBody(
146 |     tags: string[],
147 |     next: () => void
148 |   ): {
149 |     onIgnoreTag(
150 |       tag: string,
151 |       html: string,
152 |       options: {
153 |         position: number;
154 |         isClosing: boolean;
155 |       }
156 |     ): string;
157 |     remove(html: string): string;
158 |   };
159 | 
160 |   export class FilterXSS {
161 |     constructor(options?: IFilterXSSOptions);
162 |     process(html: string): string;
163 |   }
164 | 
165 |   export function filterXSS(html: string, options?: IFilterXSSOptions): string;
166 |   export function parseTag(
167 |     html: string,
168 |     onTag: (
169 |       sourcePosition: number,
170 |       position: number,
171 |       tag: string,
172 |       html: string,
173 |       isClosing: boolean
174 |     ) => string,
175 |     escapeHtml: EscapeHandler
176 |   ): string;
177 |   export function parseAttr(
178 |     html: string,
179 |     onAttr: (name: string, value: string) => string
180 |   ): string;
181 |   export const whiteList: IWhiteList;
182 |   export function getDefaultWhiteList(): IWhiteList;
183 |   export const onTag: OnTagHandler;
184 |   export const onIgnoreTag: OnTagHandler;
185 |   export const onTagAttr: OnTagAttrHandler;
186 |   export const onIgnoreTagAttr: OnTagAttrHandler;
187 |   export const safeAttrValue: SafeAttrValueHandler;
188 |   export const escapeHtml: EscapeHandler;
189 |   export const escapeQuote: EscapeHandler;
190 |   export const unescapeQuote: EscapeHandler;
191 |   export const escapeHtmlEntities: EscapeHandler;
192 |   export const escapeDangerHtml5Entities: EscapeHandler;
193 |   export const clearNonPrintableCharacter: EscapeHandler;
194 |   export const friendlyAttrValue: EscapeHandler;
195 |   export const escapeAttrValue: EscapeHandler;
196 |   export function onIgnoreTagStripAll(): string;
197 |   export const stripCommentTag: EscapeHandler;
198 |   export const stripBlankChar: EscapeHandler;
199 |   export const attributeWrapSign: string;
200 |   export const cssFilter: ICSSFilter;
201 |   export function getDefaultCSSWhiteList(): ICSSFilter;
202 | 
203 |   const xss: (html: string, options?: IFilterXSSOptions) => string;
204 |   export default xss;
205 | }
206 | 


--------------------------------------------------------------------------------