From cdd3e367e8f239b887b716afe9ca2ab2fc820dac Mon Sep 17 00:00:00 2001 From: Tom Anthony Date: Wed, 22 Jul 2020 23:40:13 +0100 Subject: [PATCH 1/2] Update handling of quoteStart to allow for whitespace after =. Add a new test case for this failure scenario. --- lib/parser.js | 14 ++++++++++---- test/test_custom_method.js | 16 ++++++++++++++++ 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/lib/parser.js b/lib/parser.js index 0caa24fb..a364503b 100644 --- a/lib/parser.js +++ b/lib/parser.js @@ -55,7 +55,7 @@ function parseTag(html, onTag, escapeHtml) { var currentTagName = ""; var currentHtml = ""; - for (currentPos = 0; currentPos < len; currentPos++) { + chariterator: for (currentPos = 0; currentPos < len; currentPos++) { var c = html.charAt(currentPos); if (tagStart === false) { if (c === "<") { @@ -85,9 +85,15 @@ function parseTag(html, onTag, escapeHtml) { tagStart = false; continue; } - if ((c === '"' || c === "'") && html.charAt(currentPos - 1) === "=") { - quoteStart = c; - continue; + if ((c === '"' || c === "'")) { + var i = 1; + while ((html.charAt(currentPos - i) === " ") || (html.charAt(currentPos - i) === "=")) { + if (html.charAt(currentPos - i) === "=") { + quoteStart = c; + continue chariterator; + } + i++; + } } } else { if (c === quoteStart) { diff --git a/test/test_custom_method.js b/test/test_custom_method.js index 0be06095..bf564a6a 100644 --- a/test/test_custom_method.js +++ b/test/test_custom_method.js @@ -359,4 +359,20 @@ describe("test custom XSS method", function() { '
hello
' ); }); + + it("#onTag - sanitize html parameter", function() { + var source = '">'; + var i = 0; + var html = xss(source, { + onTag: function(_, E, S) { + if (S.isWhite && "a" === _) { + if (S.isClosing) + return ""; + return "".concat(E, '') + } + } + }); + debug(html); + assert.equal(html, '<script>alert(2)</script>">'); + }); }); From 433dbd775093d5b84d8e21a188777250d173b7e3 Mon Sep 17 00:00:00 2001 From: Tom Anthony Date: Fri, 24 Jul 2020 10:41:06 +0100 Subject: [PATCH 2/2] Make coding style project consistent. --- lib/parser.js | 8 +++++--- test/test_custom_method.js | 5 ++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/lib/parser.js b/lib/parser.js index a364503b..787c304a 100644 --- a/lib/parser.js +++ b/lib/parser.js @@ -87,12 +87,14 @@ function parseTag(html, onTag, escapeHtml) { } if ((c === '"' || c === "'")) { var i = 1; - while ((html.charAt(currentPos - i) === " ") || (html.charAt(currentPos - i) === "=")) { - if (html.charAt(currentPos - i) === "=") { + var ic = html.charAt(currentPos - i); + + while ((ic === " ") || (ic === "=")) { + if (ic === "=") { quoteStart = c; continue chariterator; } - i++; + ic = html.charAt(currentPos - ++i); } } } else { diff --git a/test/test_custom_method.js b/test/test_custom_method.js index bf564a6a..d92cfeab 100644 --- a/test/test_custom_method.js +++ b/test/test_custom_method.js @@ -366,9 +366,8 @@ describe("test custom XSS method", function() { var html = xss(source, { onTag: function(_, E, S) { if (S.isWhite && "a" === _) { - if (S.isClosing) - return ""; - return "".concat(E, '') + if (S.isClosing) return ""; + return "".concat(E, ''); } } });