Comments (5)
pdehaan
commented on July 17, 2024
Steps to reproduce:
var xss = require('xss')
var html = "<a href='https://foo.bar/' style='color: #0095dd; text-decoration: none;'>Whatever text</a>"
var options = {
whiteList: {
a: ['href', 'style']
},
onTagAttr: function (tag, name, value, isWhiteAttr) {
if (isWhiteAttr && xss.safeAttrValue(tag, name, value) === '') {
console.log('INVALID VALUE FOR ATTRIBUTE <%s %s="%s">', tag, name, value)
return ''
}
}
}
var myxss = new xss.FilterXSS(options)
console.log(myxss.process(html))Output:
➜ fxa-travis node xss-test.js
/Users/pdehaan/dev/fxa-travis/node_modules/xss/lib/default.js:183
value = cssFilter.process(value);
^
TypeError: Cannot call method 'process' of undefined
at Function.safeAttrValue (/Users/pdehaan/dev/fxa-travis/node_modules/xss/lib/default.js:183:23)
at options.onTagAttr (/Users/pdehaan/dev/fxa-travis/xss-test.js:10:28)
at /Users/pdehaan/dev/fxa-travis/node_modules/xss/lib/xss.js:149:19
at addAttr (/Users/pdehaan/dev/fxa-travis/node_modules/xss/lib/parser.js:130:19)
at parseAttr (/Users/pdehaan/dev/fxa-travis/node_modules/xss/lib/parser.js:148:11)
at /Users/pdehaan/dev/fxa-travis/node_modules/xss/lib/xss.js:145:23
at parseTag (/Users/pdehaan/dev/fxa-travis/node_modules/xss/lib/parser.js:79:22)
at FilterXSS.process (/Users/pdehaan/dev/fxa-travis/node_modules/xss/lib/xss.js:123:17)
at Object.<anonymous> (/Users/pdehaan/dev/fxa-travis/xss-test.js:18:19)
at Module._compile (module.js:456:26)
Looks like the error is coming from /lib/default.js:183.
from js-xss.
pdehaan
commented on July 17, 2024
Potential workaround is to explicitly specify a cssFilter in our xss.safeAttrValue() call:
xss.safeAttrValue(tag, name, value, myxss.cssFilter)Semi-related, we can do CSS attribute filtering by passing a css white list in the options object:
var options = {
whiteList: {
a: ['href', 'style']
},
onTagAttr: function (tag, name, value, isWhiteAttr) {
var attrValue = xss.safeAttrValue(tag, name, value, myxss.cssFilter)
if (isWhiteAttr && value === '') {
console.log('INVALID VALUE FOR ATTRIBUTE <%s %s="%s">', tag, name, value)
return ''
}
},
css: {
whiteList: {
'color': true,
'text-decoration': true
}
}
}This module is awesome!
from js-xss.
pdehaan
commented on July 17, 2024
So I think the fix for this is to check if cssFilter argument is defined is safeAttrValue() in /lib/default.js:142-144:
var FilterCSS = require('cssfilter').FilterCSS;
...
function safeAttrValue (tag, name, value, cssFilter) {
cssFilter = cssFilter || new FilterCSS();
// 转换为友好的属性值,再做判断
value = friendlyAttrValue(value);from js-xss.
leizongmin
commented on July 17, 2024
@pdehaan @TDA Fixed this problem, please install the new version [email protected] Thank you! :-)
from js-xss.
TDA
commented on July 17, 2024
@leizongmin Thank you so much!! That was fast!
from js-xss.
Related Issues (20)
- Confusing variable assignment - Eslint should be configured for this project HOT 2
- "invalid group specifier name" error in Safari after upgrade to 1.0.12 HOT 7
- 运算符 大于号>和小于号<不想被转码 HOT 1
- video标签过滤后source标签丢失 HOT 2
- src with blob:... is removed HOT 1
- At v1.0.14 stripIgnoreTag behavior changed HOT 1
- I would like to know why all styles need to be whitelisted by configuration before they are not filtered?
- Escaping attribute does not work sufficient HOT 1
- whiteList fails when using slashes to separate tag attributes (PR included)
- Ignore greater or less than symbol? HOT 1
- Links in href/src needs a protocol, but not in url(), why ?
- Cannot create xss instance with options ^1.0.14
- The href content in a tag is 'data: image', which is not processed
- Support being imported by Node
- img src processed to empty HOT 2
- a标签已经被加入到了白名a: ['class', 'href', 'target'],但是href里面放入自定义协议,比如baidu360://efwefwfwe给过滤了,怎么办
- How to whitelist cookies
- Doesn't sanitize "<p>abc<iframe//src=jAva	script:alert(3)>def</p>"
- How to see what tags are removed?
- Is it possible to preserve case on attributes when filtering XSS?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from js-xss.