fix #245

dist/xss.js

@@ -620,7 +620,7 @@ function parseTag(html, onTag, escapeHtml) {
   return rethtml;
 }
 
-var REGEXP_ILLEGAL_ATTR_NAME = /[^a-zA-Z0-9_:\.\-]/gim;
+var REGEXP_ILLEGAL_ATTR_NAME = /[^a-zA-Z0-9\\_:.-]/gim;
 
 /**
  * parse input attributes and returns processed attributes
@@ -633,6 +633,7 @@ function parseAttr(html, onAttr) {
   "use strict";
 
   var lastPos = 0;
+  var lastMarkPos = 0;
   var retAttrs = [];
   var tmpName = false;
   var len = html.length;
@@ -652,19 +653,18 @@ function parseAttr(html, onAttr) {
     if (tmpName === false && c === "=") {
       tmpName = html.slice(lastPos, i);
       lastPos = i + 1;
+      lastMarkPos = html.charAt(lastPos) === '"' || html.charAt(lastPos) === "'" ? lastPos : findNextQuotationMark(html, i + 1);
       continue;
     }
     if (tmpName !== false) {
       if (
-        i === lastPos &&
-        (c === '"' || c === "'") &&
-        html.charAt(i - 1) === "="
+        i === lastMarkPos
       ) {
         j = html.indexOf(c, i + 1);
         if (j === -1) {
           break;
         } else {
-          v = _.trim(html.slice(lastPos + 1, j));
+          v = _.trim(html.slice(lastMarkPos + 1, j));
           addAttr(tmpName, v);
           tmpName = false;
           i = j;
@@ -723,6 +723,15 @@ function findNextEqual(str, i) {
   }
 }
 
+function findNextQuotationMark(str, i) {
+  for (; i < str.length; i++) {
+    var c = str[i];
+    if (c === " ") continue;
+    if (c === "'" || c === '"') return i;
+    return -1;
+  }
+}
+
 function findBeforeEqual(str, i) {
   for (; i > 0; i--) {
     var c = str[i];
@@ -941,7 +950,7 @@ FilterXSS.prototype.process = function (html) {
         sourcePosition: sourcePosition,
         position: position,
         isClosing: isClosing,
-        isWhite: whiteList.hasOwnProperty(tag),
+        isWhite: Object.prototype.hasOwnProperty.call(whiteList, tag),
       };
 
       // call `onTag()`

lib/parser.js

@@ -113,7 +113,7 @@ function parseTag(html, onTag, escapeHtml) {
   return rethtml;
 }
 
-var REGEXP_ILLEGAL_ATTR_NAME = /[^a-zA-Z0-9_:.-]/gim;
+var REGEXP_ILLEGAL_ATTR_NAME = /[^a-zA-Z0-9\\_:.-]/gim;
 
 /**
  * parse input attributes and returns processed attributes
@@ -126,6 +126,7 @@ function parseAttr(html, onAttr) {
   "use strict";
 
   var lastPos = 0;
+  var lastMarkPos = 0;
   var retAttrs = [];
   var tmpName = false;
   var len = html.length;
@@ -145,19 +146,18 @@ function parseAttr(html, onAttr) {
     if (tmpName === false && c === "=") {
       tmpName = html.slice(lastPos, i);
       lastPos = i + 1;
+      lastMarkPos = html.charAt(lastPos) === '"' || html.charAt(lastPos) === "'" ? lastPos : findNextQuotationMark(html, i + 1);
       continue;
     }
     if (tmpName !== false) {
       if (
-        i === lastPos &&
-        (c === '"' || c === "'") &&
-        html.charAt(i - 1) === "="
+        i === lastMarkPos
       ) {
         j = html.indexOf(c, i + 1);
         if (j === -1) {
           break;
         } else {
-          v = _.trim(html.slice(lastPos + 1, j));
+          v = _.trim(html.slice(lastMarkPos + 1, j));
           addAttr(tmpName, v);
           tmpName = false;
           i = j;
@@ -216,6 +216,15 @@ function findNextEqual(str, i) {
   }
 }
 
+function findNextQuotationMark(str, i) {
+  for (; i < str.length; i++) {
+    var c = str[i];
+    if (c === " ") continue;
+    if (c === "'" || c === '"') return i;
+    return -1;
+  }
+}
+
 function findBeforeEqual(str, i) {
   for (; i > 0; i--) {
     var c = str[i];

test/test_html_parser.js

@@ -75,7 +75,7 @@ describe("test HTML parser", function() {
   it("#parseAttr", function() {
     var i = 0;
     var html = parseAttr(
-      'href="#"attr1=b attr2=c attr3 attr4=\'value4"\'attr5/',
+      'href="#"attr1=b attr2=c attr3 attr4=\'value4"\'attr5/ attr6\\" attr7= "123 456"',
       function(name, value) {
         i++;
         debug(arguments);
@@ -103,15 +103,24 @@ describe("test HTML parser", function() {
           assert.equal(name, "attr5");
           assert.equal(value, "");
           return attr(name, value);
-        } else {
+        } else if(i === 7) {
+          assert.equal(name, "attr6\\");
+          assert.equal(value, "");
+          return attr(name, value);
+        } else if(i === 8){
+          assert.equal(name , "attr7");
+          assert.equal(value , "123 456");
+          return attr(name, value);
+        }
+        else {
           throw new Error();
         }
       }
     );
     debug(html);
     assert.equal(
       html,
-      'href="#" attr1="b" attr2="c" attr3 attr4="value4&quote;" attr5'
+      'href="#" attr1="b" attr2="c" attr3 attr4="value4&quote;" attr5 attr6\\ attr7="123 456"'
     );
   });