Comments (6)
This is because the style
attribute is not allow in the default whiteList. So you need to add the style
attributes to your custom whitelist first.
const xss = require('xss');
// get a copy of default whiteList
const whiteList = xss.getDefaultWhiteList();
// allow style attribute for td tag
whiteList.td.push('style');
// specified you custom whiteList
const myxss = new xss.FilterXSS({
whiteList,
css: false,
});
// do what you want
html = myxss.process(innerText);
console.log(html);
from js-xss.
@leizongmin I don't think it is the common case, I believe mosts people only want keep inline styles but not leave all of them not filtered
from js-xss.
Thanks that did the trick!,
sorry to add, but is there a way to specify attr
with valid values like class
can only be set to certain values?
from js-xss.
why you suggest using {css:false} ? It means just leave nearly all risk passthrough.
myxss = new xss.FilterXSS({css:false,whiteList})
myxss.process('<div style="color:red;background:url(java/**/script:alert(1)">TEST</div>')
// unexpected
// output: '<div style="color:red;background:url(java/**/script:alert(1)">TEST</div>'
myxss = new xss.FilterXSS({whiteList})
myxss.process('<div style="color:red;background:url(java/**/script:alert(1)">TEST</div>')
// expected
// output: '<div style="color:red;">TEST</div>'
from js-xss.
@lwr This is because some people didn't want to filter the style
attribute for some reasons.
from js-xss.
I did it like this:
function handleTagAttr (tag, name, value, isWhiteAttr) {
if (name === 'style') {
return `${name}="${cssfilter(value)}"`;
}
}
const options = {
whiteList: modifyWhiteList(),
css: false,
stripIgnoreTagBody: true,
onTagAttr: handleTagAttr
};
const sanitizer = new xss.FilterXSS(options);
from js-xss.
Related Issues (20)
- 可不可以设置一个黑名单除了黑名单里面的标签剩余都是白名单
- Confusing variable assignment - Eslint should be configured for this project HOT 2
- "invalid group specifier name" error in Safari after upgrade to 1.0.12 HOT 7
- 运算符 大于号>和小于号<不想被转码 HOT 1
- video标签过滤后source标签丢失 HOT 2
- src with blob:... is removed HOT 1
- At v1.0.14 stripIgnoreTag behavior changed HOT 1
- I would like to know why all styles need to be whitelisted by configuration before they are not filtered?
- Escaping attribute does not work sufficient HOT 1
- whiteList fails when using slashes to separate tag attributes (PR included)
- Ignore greater or less than symbol? HOT 1
- Links in href/src needs a protocol, but not in url(), why ?
- Cannot create xss instance with options ^1.0.14
- The href content in a tag is 'data: image', which is not processed
- Support being imported by Node
- img src processed to empty HOT 2
- a标签已经被加入到了白名a: ['class', 'href', 'target'],但是href里面放入自定义协议,比如baidu360://efwefwfwe给过滤了,怎么办
- How to whitelist cookies
- Doesn't sanitize "<p>abc<iframe//src=jAva	script:alert(3)>def</p>"
- How to see what tags are removed?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from js-xss.