Update XSS filter

This commit is contained in:
Calvin Montgomery 2014-06-25 20:22:54 -07:00
parent 9ce02c8e6b
commit 3661ab1fd9

View file

@ -205,19 +205,6 @@ const badAttrs = new RegExp([
"\\baction" "\\baction"
].join("|"), "i"); ].join("|"), "i");
/* These are things commonly used in the values of HTML attributes of
XSS injections. Go ahead and strip them, they don't have any other
use besides javascript
*/
const badAttrValues = new RegExp([
"alert",
"document.cookie",
"expression",
"javascript",
"location",
"window"
].join("|"), "ig");
function sanitizeHTML(str) { function sanitizeHTML(str) {
var i = str.indexOf("<"); var i = str.indexOf("<");
if (i === -1) { if (i === -1) {
@ -248,9 +235,8 @@ function sanitizeHTML(str) {
if (k.match(badAttrs)) { if (k.match(badAttrs)) {
delete t.attributes[k]; delete t.attributes[k];
} else { } else {
if (t.attributes[k].match(badAttrValues)) { if (t.attributes[k].replace(/\s/g, "").indexOf("javascript:") !== -1) {
// As above, replacing with a nonempty string is important. t.attributes[k] = "[removed]";
t.attributes[k] = t.attributes[k].replace(badAttrValues, "[removed]");
} }
} }