Work on text filter

This commit is contained in:
Calvin Montgomery 2013-11-05 10:37:50 -06:00
parent 33d1075d44
commit 7318200878
2 changed files with 58 additions and 17 deletions

View file

@ -262,4 +262,20 @@ function sanitizeText(str) {
return str;
}
function decodeText(str) {
str = str.replace(/&#([0-9]{2,4});?/g, function (m, p1) {
return String.fromCharCode(parseInt(p1));
});
str = str.replace(/&#x([0-9a-f]{2,4});?/ig, function (m, p1) {
return String.fromCharCode(parseInt(p1, 16));
});
str = str.replace(/&lt;/g, "<")
.replace(/&gt;/g, ">")
.replace(/&quot;/g, "\"")
.replace(/&amp;/g, "&");
return str;
}
module.exports.sanitizeHTML = sanitizeHTML;
module.exports.sanitizeText = sanitizeText;
module.exports.decodeText = decodeText;

View file

@ -1,21 +1,46 @@
var sanitize = require('../lib/xss').sanitizeHTML;
var sanitize = require('../lib/xss');
var sanitizeHTML = sanitize.sanitizeHTML;
var sanitizeText = sanitize.sanitizeText;
var decodeText = sanitize.decodeText;
var assert = require('assert');
var failed = 0;
function basicTest() {
assert(sanitize("< script src = bad.js>blah</script>") ===
"[tag removed]blah[tag removed]");
assert(sanitize("< img src=asdf onerror='alert(\"xss\")'>") ===
"<img src=\"asdf\">");
assert(sanitize("<a href='javascript:alert(document.cookie)'>") ===
"<a href=\"[removed]:[removed]([removed])\">");
assert(sanitize("<a ") === "<a>");
assert(sanitize("<img src=\"<a href=\"javascript:void(0)\">>") ===
"<img src=\"<a href=\" javascriptvoid0=\"\">>");
function doTest(s, src, expected) {
try {
assert(s(src) === expected);
} catch (e) {
failed++;
console.log("Expected '" + expected + "'");
console.log("Got '" + s(src) + "'");
}
}
basicTest();
console.log("Tests passed.");
function testSanitizeHTML() {
doTest(sanitizeHTML, "< script src = bad.js>blah</script>", "[tag removed]blah[tag removed]");
doTest(sanitizeHTML, "< img src=asdf onerror='alert(\"xss\")'>", "<img src=\"asdf\">");
doTest(sanitizeHTML, "<a href='javascript:alert(document.cookie)'>", "<a href=\"[removed]:[removed]([removed])\">");
doTest(sanitizeHTML, "<a ", "<a>");
doTest(sanitizeHTML, "<img src=\"<a href=\"javascript:void(0)\">>", "<img src=\"<a href=\" javascriptvoid0>>");
}
function testSanitizeText() {
doTest(sanitizeText, "<a href=\"#\" onerror=\"javascript:alert('xss')\">", "&lt;a href=&quot;#&quot; onerror=&quot;javascript:alert&#40;&#39;xss&#39;&#41;&quot;&gt;");
doTest(sanitizeText, "&lt;&gt;&amp;&quot;&ccedil;&#x09", "&amp;lt;&amp;gt;&amp;amp;&amp;quot;&amp;ccedil;&amp;#x09");
}
function testDecode() {
doTest(decodeText, "&lt;a href=&quot;#&quot; onerror=&quot;javascript:alert&#40;&#39;xss&#39;&#41;&quot;&gt;", "<a href=\"#\" onerror=\"javascript:alert('xss')\">");
doTest(decodeText, "&amp;lt;&amp;gt;&amp;amp;&amp;quot;&amp;ccedil;&amp;#x09", "&lt;&gt;&amp;&quot;&ccedil;&#x09");
}
testSanitizeHTML();
testSanitizeText();
testDecode();
if (!failed)
console.log("Tests passed.");
else
console.log(""+failed, "tests failed");