Update XSS filter

2014-06-25 20:22:54 -07:00 · 2014-06-25 20:22:54 -07:00 · 3661ab1fd9
parent 9ce02c8e6b
commit 3661ab1fd9
1 changed files with 2 additions and 16 deletions
--- a/lib/xss.js
+++ b/lib/xss.js
@ -205,19 +205,6 @@ const badAttrs = new RegExp([
    "\\baction"
 ].join("|"), "i");

-/* These are things commonly used in the values of HTML attributes of
-   XSS injections.  Go ahead and strip them, they don't have any other
-   use besides javascript
-*/
-const badAttrValues = new RegExp([
-    "alert",
-    "document.cookie",
-    "expression",
-    "javascript",
-    "location",
-    "window"
-].join("|"), "ig");
-
 function sanitizeHTML(str) {
    var i = str.indexOf("<");
    if (i === -1) {
@ -248,9 +235,8 @@ function sanitizeHTML(str) {
            if (k.match(badAttrs)) {
                delete t.attributes[k];
            } else {
-                if (t.attributes[k].match(badAttrValues)) {
-                    // As above, replacing with a nonempty string is important.
-                    t.attributes[k] = t.attributes[k].replace(badAttrValues, "[removed]");
+                if (t.attributes[k].replace(/\s/g, "").indexOf("javascript:") !== -1) {
+                    t.attributes[k] = "[removed]";
                }

            }