From 1c3273978b14e07bf0c1152156266bca76dabab7 Mon Sep 17 00:00:00 2001 From: calzoneman Date: Thu, 31 Oct 2013 00:48:01 -0500 Subject: [PATCH] Fix a few edge cases for XSS --- lib/xss.js | 19 +++++++++++++++---- tests/xss.js | 5 +++++ 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/lib/xss.js b/lib/xss.js index 149b0d35..fb04129d 100644 --- a/lib/xss.js +++ b/lib/xss.js @@ -59,7 +59,7 @@ TagParser.prototype.parse = function () { // Attributes var attrs = {}; - while (this.text[this.i] !== ">") { + while (this.i < this.text.length && this.text[this.i] !== ">") { var key = this.readLiteralOrString(/[^\s=>]/); this.skipWhitespace(); if (this.text[this.i] !== "=") { @@ -77,7 +77,10 @@ TagParser.prototype.parse = function () { } this.skipWhitespace(); } - this.i++; + + if (this.i < this.text.length) { + this.i++; + } return { tagName: tname, @@ -153,8 +156,16 @@ function sanitizeHTML(str) { for (var k in t.attributes) { if (k.match(badAttrs)) { delete t.attributes[k]; - } else if (t.attributes[k].match(badAttrValues)) { - t.attributes[k] = t.attributes[k].replace(badAttrValues, ""); + } else { + if (t.attributes[k].match(badAttrValues)) { + t.attributes[k] = t.attributes[k].replace(badAttrValues, ""); + } + + var k2 = k.replace(/[^\w]/g, ""); + if (k2 !== k) { + t.attributes[k2] = t.attributes[k]; + delete t.attributes[k]; + } } } var fmt = "<" + t.tagName; diff --git a/tests/xss.js b/tests/xss.js index c63e40f9..45aa46cc 100644 --- a/tests/xss.js +++ b/tests/xss.js @@ -10,6 +10,11 @@ function basicTest() { assert(sanitize("") === ""); + + assert(sanitize(""); + + assert(sanitize(">") === + ">"); } basicTest();