Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: comment has encoded #257

Merged
merged 1 commit into from
May 27, 2022
Merged

fix: comment has encoded #257

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions lib/default.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,15 @@ function escapeHtml(html) {
return html.replace(REGEXP_LT, "<").replace(REGEXP_GT, ">");
}

/**
* default escapeHtml function but dont escape comment
*
* @param {String} html
*/
function escapeHtmlNotComment(html) {
return html.replace(REGEXP_LT_NOT_COMMENT, "<").replace(REGEXP_RT_NOT_COMMENT, ">");
}

/**
* default safeAttrValue function
*
Expand Down Expand Up @@ -228,6 +237,8 @@ function safeAttrValue(tag, name, value, cssFilter) {
// RegExp list
var REGEXP_LT = /</g;
var REGEXP_GT = />/g;
var REGEXP_LT_NOT_COMMENT = /<(?!!--)/g;
var REGEXP_RT_NOT_COMMENT = /(?<!--)>/g;
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

正则表达式 /(?<!--)>/g 在 Safari 上会报错 SyntaxError: Invalid regular expression: invalid group specifier name,原因是 Safari 不支持 negative lookbehind

var REGEXP_QUOTE = /"/g;
var REGEXP_QUOTE_2 = /&quot;/g;
var REGEXP_ATTR_VALUE_1 = /&#([a-zA-Z0-9]*);?/gim;
Expand Down Expand Up @@ -444,6 +455,7 @@ exports.onTagAttr = onTagAttr;
exports.onIgnoreTagAttr = onIgnoreTagAttr;
exports.safeAttrValue = safeAttrValue;
exports.escapeHtml = escapeHtml;
exports.escapeHtmlNotComment = escapeHtmlNotComment;
exports.escapeQuote = escapeQuote;
exports.unescapeQuote = unescapeQuote;
exports.escapeHtmlEntities = escapeHtmlEntities;
Expand Down
2 changes: 1 addition & 1 deletion lib/xss.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ function FilterXSS(options) {
options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag;
options.onIgnoreTagAttr = options.onIgnoreTagAttr || DEFAULT.onIgnoreTagAttr;
options.safeAttrValue = options.safeAttrValue || DEFAULT.safeAttrValue;
options.escapeHtml = options.escapeHtml || DEFAULT.escapeHtml;
options.escapeHtml = options.escapeHtml || (options.allowCommentTag ? DEFAULT.escapeHtmlNotComment : DEFAULT.escapeHtml);
this.options = options;

if (options.css === false) {
Expand Down
2 changes: 1 addition & 1 deletion test/test_xss.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -371,7 +371,7 @@ describe("test XSS", function() {
"PT><![endif]--> END",
{ allowCommentTag: true }
),
"&lt;!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;&lt;![endif]--&gt; END"
"<!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;&lt;![endif]--> END"
);
assert.equal(
xss(
Expand Down