Work on text filter
This commit is contained in:
parent
33d1075d44
commit
7318200878
16
lib/xss.js
16
lib/xss.js
|
@ -262,4 +262,20 @@ function sanitizeText(str) {
|
||||||
return str;
|
return str;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function decodeText(str) {
|
||||||
|
str = str.replace(/&#([0-9]{2,4});?/g, function (m, p1) {
|
||||||
|
return String.fromCharCode(parseInt(p1));
|
||||||
|
});
|
||||||
|
str = str.replace(/&#x([0-9a-f]{2,4});?/ig, function (m, p1) {
|
||||||
|
return String.fromCharCode(parseInt(p1, 16));
|
||||||
|
});
|
||||||
|
str = str.replace(/</g, "<")
|
||||||
|
.replace(/>/g, ">")
|
||||||
|
.replace(/"/g, "\"")
|
||||||
|
.replace(/&/g, "&");
|
||||||
|
return str;
|
||||||
|
}
|
||||||
|
|
||||||
module.exports.sanitizeHTML = sanitizeHTML;
|
module.exports.sanitizeHTML = sanitizeHTML;
|
||||||
|
module.exports.sanitizeText = sanitizeText;
|
||||||
|
module.exports.decodeText = decodeText;
|
||||||
|
|
59
tests/xss.js
59
tests/xss.js
|
@ -1,21 +1,46 @@
|
||||||
var sanitize = require('../lib/xss').sanitizeHTML;
|
var sanitize = require('../lib/xss');
|
||||||
|
var sanitizeHTML = sanitize.sanitizeHTML;
|
||||||
|
var sanitizeText = sanitize.sanitizeText;
|
||||||
|
var decodeText = sanitize.decodeText;
|
||||||
var assert = require('assert');
|
var assert = require('assert');
|
||||||
|
var failed = 0;
|
||||||
|
|
||||||
function basicTest() {
|
function doTest(s, src, expected) {
|
||||||
assert(sanitize("< script src = bad.js>blah</script>") ===
|
try {
|
||||||
"[tag removed]blah[tag removed]");
|
assert(s(src) === expected);
|
||||||
|
} catch (e) {
|
||||||
assert(sanitize("< img src=asdf onerror='alert(\"xss\")'>") ===
|
failed++;
|
||||||
"<img src=\"asdf\">");
|
console.log("Expected '" + expected + "'");
|
||||||
|
console.log("Got '" + s(src) + "'");
|
||||||
assert(sanitize("<a href='javascript:alert(document.cookie)'>") ===
|
}
|
||||||
"<a href=\"[removed]:[removed]([removed])\">");
|
|
||||||
|
|
||||||
assert(sanitize("<a ") === "<a>");
|
|
||||||
|
|
||||||
assert(sanitize("<img src=\"<a href=\"javascript:void(0)\">>") ===
|
|
||||||
"<img src=\"<a href=\" javascriptvoid0=\"\">>");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
basicTest();
|
function testSanitizeHTML() {
|
||||||
console.log("Tests passed.");
|
doTest(sanitizeHTML, "< script src = bad.js>blah</script>", "[tag removed]blah[tag removed]");
|
||||||
|
|
||||||
|
doTest(sanitizeHTML, "< img src=asdf onerror='alert(\"xss\")'>", "<img src=\"asdf\">");
|
||||||
|
|
||||||
|
doTest(sanitizeHTML, "<a href='javascript:alert(document.cookie)'>", "<a href=\"[removed]:[removed]([removed])\">");
|
||||||
|
|
||||||
|
doTest(sanitizeHTML, "<a ", "<a>");
|
||||||
|
|
||||||
|
doTest(sanitizeHTML, "<img src=\"<a href=\"javascript:void(0)\">>", "<img src=\"<a href=\" javascriptvoid0>>");
|
||||||
|
}
|
||||||
|
|
||||||
|
function testSanitizeText() {
|
||||||
|
doTest(sanitizeText, "<a href=\"#\" onerror=\"javascript:alert('xss')\">", "<a href="#" onerror="javascript:alert('xss')">");
|
||||||
|
doTest(sanitizeText, "<>&"ç	", "&lt;&gt;&amp;&quot;&ccedil;&#x09");
|
||||||
|
}
|
||||||
|
|
||||||
|
function testDecode() {
|
||||||
|
doTest(decodeText, "<a href="#" onerror="javascript:alert('xss')">", "<a href=\"#\" onerror=\"javascript:alert('xss')\">");
|
||||||
|
doTest(decodeText, "&lt;&gt;&amp;&quot;&ccedil;&#x09", "<>&"ç	");
|
||||||
|
}
|
||||||
|
|
||||||
|
testSanitizeHTML();
|
||||||
|
testSanitizeText();
|
||||||
|
testDecode();
|
||||||
|
if (!failed)
|
||||||
|
console.log("Tests passed.");
|
||||||
|
else
|
||||||
|
console.log(""+failed, "tests failed");
|
||||||
|
|
Loading…
Reference in a new issue