CyTube/lib/xss.js

var sanitizeHTML = require("sanitize-html");

// These tags are allowed in addition to the defaults
// See https://github.com/punkave/sanitize-html
const ALLOWED_TAGS = [
    "button",
    "center",
    "details",
    "font",
    "h1",
    "h2",
    "img",
    "marquee", // It pains me to do this, but a lot of people use it...
    "s",
    "section",
    "span",
    "summary"
];

const ALLOWED_ATTRIBUTES = [
    "id",
    "aria-*",
    "border",
    "class",
    "color",
    "data-*",
    "height",
    "role",
    "style",
    "title",
    "valign",
    "width"
];

var ATTRIBUTE_MAP = {
    a: ["href", "name", "target"],
    font: ["size"],
    img: ["src"],
    marquee: ["behavior", "behaviour", "direction", "scrollamount"],
    table: ["cellpadding", "cellspacing"],
    th: ["colspan", "rowspan"],
    td: ["colspan", "rowspan"]
}

for (var key in ATTRIBUTE_MAP) {
    ALLOWED_ATTRIBUTES.forEach(function (attr) {
        ATTRIBUTE_MAP[key].push(attr);
    });
}

sanitizeHTML.defaults.allowedTags.concat(ALLOWED_TAGS).forEach(function (tag) {
    if (!(tag in ATTRIBUTE_MAP)) {
        ATTRIBUTE_MAP[tag] = ALLOWED_ATTRIBUTES;
    }
});

const SETTINGS = {
    allowedTags: sanitizeHTML.defaults.allowedTags.concat(ALLOWED_TAGS),
    allowedAttributes: ATTRIBUTE_MAP
};

function sanitizeText(str) {
    str = str.replace(/&/g, "&amp;")
             .replace(/</g, "&lt;")
             .replace(/>/g, "&gt;")
             .replace(/"/g, "&quot;")
             .replace(/'/g, "&#39;")
             .replace(/\(/g, "&#40;")
             .replace(/\)/g, "&#41;");
    return str;
}

function decodeText(str) {
    str = str.replace(/&#([0-9]{2,7});?/g, function (m, p1) {
        return String.fromCharCode(parseInt(p1));
    });
    str = str.replace(/&#x([0-9a-f]{2,7});?/ig, function (m, p1) {
        return String.fromCharCode(parseInt(p1, 16));
    });
    str = str.replace(/&lt;/g, "<")
             .replace(/&gt;/g, ">")
             .replace(/&quot;/g, "\"")
             .replace(/&amp;/g, "&");
    return str;
}

module.exports.sanitizeHTML = function (html) {
    return sanitizeHTML(html, SETTINGS);
};

module.exports.sanitizeText = sanitizeText;
module.exports.decodeText = decodeText;
Replace XSS filter with sanitize-html 2015-01-06 17:20:48 +00:00			`var sanitizeHTML = require("sanitize-html");`

XSS: Glob attributes data-, aria- 2015-01-06 18:00:36 +00:00			`// These tags are allowed in addition to the defaults`
			`// See https://github.com/punkave/sanitize-html`
Replace XSS filter with sanitize-html 2015-01-06 17:20:48 +00:00			`const ALLOWED_TAGS = [`
			`"button",`
			`"center",`
			`"details",`
			`"font",`
			`"h1",`
			`"h2",`
			`"img",`
			`"marquee", // It pains me to do this, but a lot of people use it...`
Whitelist <s> tags for filters 2015-01-19 07:26:46 +00:00			`"s",`
Replace XSS filter with sanitize-html 2015-01-06 17:20:48 +00:00			`"section",`
			`"span",`
			`"summary"`
			`];`

			`const ALLOWED_ATTRIBUTES = [`
			`"id",`
XSS: Glob attributes data-, aria- 2015-01-06 18:00:36 +00:00			`"aria-*",`
Replace XSS filter with sanitize-html 2015-01-06 17:20:48 +00:00			`"border",`
			`"class",`
			`"color",`
XSS: Glob attributes data-, aria- 2015-01-06 18:00:36 +00:00			`"data-*",`
Replace XSS filter with sanitize-html 2015-01-06 17:20:48 +00:00			`"height",`
			`"role",`
			`"style",`
			`"title",`
			`"valign",`
			`"width"`
			`];`

			`var ATTRIBUTE_MAP = {`
			`a: ["href", "name", "target"],`
			`font: ["size"],`
			`img: ["src"],`
			`marquee: ["behavior", "behaviour", "direction", "scrollamount"],`
			`table: ["cellpadding", "cellspacing"],`
			`th: ["colspan", "rowspan"],`
			`td: ["colspan", "rowspan"]`
Implement basic XSS filter 2013-10-31 05:39:35 +00:00			`}`

Replace XSS filter with sanitize-html 2015-01-06 17:20:48 +00:00			`for (var key in ATTRIBUTE_MAP) {`
			`ALLOWED_ATTRIBUTES.forEach(function (attr) {`
			`ATTRIBUTE_MAP[key].push(attr);`
Add XSS filter 2014-01-23 17:45:08 +00:00			`});`
Replace XSS filter with sanitize-html 2015-01-06 17:20:48 +00:00			`}`
Add XSS filter 2014-01-23 17:45:08 +00:00
Replace XSS filter with sanitize-html 2015-01-06 17:20:48 +00:00			`sanitizeHTML.defaults.allowedTags.concat(ALLOWED_TAGS).forEach(function (tag) {`
			`if (!(tag in ATTRIBUTE_MAP)) {`
			`ATTRIBUTE_MAP[tag] = ALLOWED_ATTRIBUTES;`
Fix a few edge cases for XSS 2013-10-31 05:48:01 +00:00			`}`
Replace XSS filter with sanitize-html 2015-01-06 17:20:48 +00:00			`});`
Implement basic XSS filter 2013-10-31 05:39:35 +00:00
Replace XSS filter with sanitize-html 2015-01-06 17:20:48 +00:00			`const SETTINGS = {`
			`allowedTags: sanitizeHTML.defaults.allowedTags.concat(ALLOWED_TAGS),`
			`allowedAttributes: ATTRIBUTE_MAP`
Implement basic XSS filter 2013-10-31 05:39:35 +00:00			`};`

Start working on text sanitizer 2013-10-31 23:53:03 +00:00			`function sanitizeText(str) {`
			`str = str.replace(/&/g, "&")`
			`.replace(/</g, "<")`
			`.replace(/>/g, ">")`
			`.replace(/"/g, """)`
			`.replace(/'/g, "'")`
			`.replace(/\(/g, "(")`
			`.replace(/\)/g, ")");`
			`return str;`
			`}`

Work on text filter 2013-11-05 16:37:50 +00:00			`function decodeText(str) {`
Add XSS filter 2014-01-23 17:45:08 +00:00			`str = str.replace(/&#([0-9]{2,7});?/g, function (m, p1) {`
Work on text filter 2013-11-05 16:37:50 +00:00			`return String.fromCharCode(parseInt(p1));`
			`});`
Add XSS filter 2014-01-23 17:45:08 +00:00			`str = str.replace(/&#x([0-9a-f]{2,7});?/ig, function (m, p1) {`
Work on text filter 2013-11-05 16:37:50 +00:00			`return String.fromCharCode(parseInt(p1, 16));`
			`});`
			`str = str.replace(/</g, "<")`
			`.replace(/>/g, ">")`
			`.replace(/"/g, "\"")`
			`.replace(/&/g, "&");`
			`return str;`
			`}`

Replace XSS filter with sanitize-html 2015-01-06 17:20:48 +00:00			`module.exports.sanitizeHTML = function (html) {`
			`return sanitizeHTML(html, SETTINGS);`
			`};`

Work on text filter 2013-11-05 16:37:50 +00:00			`module.exports.sanitizeText = sanitizeText;`
			`module.exports.decodeText = decodeText;`