express-xss-sanitizer
Advanced tools
Comparing version 1.1.6 to 1.1.7
@@ -1,8 +0,8 @@ | ||
"use strict"; | ||
'use strict'; | ||
const sanitize = require("./lib/sanitize"); | ||
const sanitize = require('./lib/sanitize'); | ||
function middleware(options = {}) { | ||
return (req, res, next) => { | ||
["body", "params", "headers", "query"].forEach((k) => { | ||
['body', 'params', 'headers', 'query'].forEach((k) => { | ||
if (req[k]) { | ||
@@ -9,0 +9,0 @@ req[k] = sanitize(req[k], options); |
@@ -1,9 +0,7 @@ | ||
"use strict"; | ||
'use strict'; | ||
const sanitizeHtml = require("sanitize-html"); | ||
const sanitizeHtml = require('sanitize-html'); | ||
function hasOwn(object, key) { | ||
const keys = Reflect.ownKeys(object).filter( | ||
(item) => typeof item !== "symbol" | ||
); | ||
const keys = Reflect.ownKeys(object).filter((item) => typeof item !== 'symbol'); | ||
return keys.includes(key); | ||
@@ -14,15 +12,12 @@ } | ||
const sanitizerOptions = {}; | ||
if ( | ||
hasOwn(options, "allowedTags") && | ||
Array.isArray(options.allowedTags) && | ||
options.allowedTags.length > 0 | ||
) { | ||
if (hasOwn(options, 'allowedTags') && Array.isArray(options.allowedTags) && options.allowedTags.length > 0) { | ||
sanitizerOptions.allowedTags = options.allowedTags; | ||
} | ||
if (hasOwn(options, 'allowedAttributes') && Object.keys(options.allowedAttributes).length > 0) { | ||
sanitizerOptions.allowedAttributes = options.allowedAttributes; | ||
} | ||
return { | ||
allowedKeys: | ||
(hasOwn(options, "allowedKeys") && | ||
Array.isArray(options.allowedKeys) && | ||
options.allowedKeys) || | ||
[], | ||
allowedKeys: (hasOwn(options, 'allowedKeys') && Array.isArray(options.allowedKeys) && options.allowedKeys) || [], | ||
sanitizerOptions, | ||
@@ -33,3 +28,3 @@ }; | ||
const sanitize = (options, data) => { | ||
if (typeof data === "string") { | ||
if (typeof data === 'string') { | ||
return sanitizeHtml(data, options.sanitizerOptions); | ||
@@ -39,6 +34,6 @@ } | ||
return data.map((item) => { | ||
if (typeof item === "string") { | ||
if (typeof item === 'string') { | ||
return sanitizeHtml(item, options.sanitizerOptions); | ||
} | ||
if (Array.isArray(item) || typeof item === "object") { | ||
if (Array.isArray(item) || typeof item === 'object') { | ||
return sanitize(options, item); | ||
@@ -49,3 +44,3 @@ } | ||
} | ||
if (typeof data === "object" && data !== null) { | ||
if (typeof data === 'object' && data !== null) { | ||
Object.keys(data).forEach((key) => { | ||
@@ -56,5 +51,5 @@ if (options.allowedKeys.includes(key)) { | ||
const item = data[key]; | ||
if (typeof item === "string") { | ||
if (typeof item === 'string') { | ||
data[key] = sanitizeHtml(item, options.sanitizerOptions); | ||
} else if (Array.isArray(item) || typeof item === "object") { | ||
} else if (Array.isArray(item) || typeof item === 'object') { | ||
data[key] = sanitize(options, item); | ||
@@ -61,0 +56,0 @@ } |
{ | ||
"name": "express-xss-sanitizer", | ||
"version": "1.1.6", | ||
"version": "1.1.7", | ||
"description": "Express 4.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack.", | ||
"main": "index.js", | ||
"scripts": { | ||
"test": "./node_modules/mocha/bin/mocha " | ||
"test": "./node_modules/mocha/bin/_mocha", | ||
"test:spec": "npx mocha --reporter spec", | ||
"format": "prettier --config .prettierrc './**/*.js' --write", | ||
"lint": "eslint . --ext .js", | ||
"lint:fix": "eslint . --ext .js --fix", | ||
"prepublishOnly": "npm run lint", | ||
"preversion": "npm run lint && npm run test" | ||
}, | ||
@@ -28,3 +34,3 @@ "repository": { | ||
"dependencies": { | ||
"sanitize-html": "~2.7.1" | ||
"sanitize-html": "~2.11.0" | ||
}, | ||
@@ -40,3 +46,3 @@ "devDependencies": { | ||
"express": "^4.17.1", | ||
"mocha": "^7.1.1", | ||
"mocha": "^10.2.0", | ||
"prettier": "^2.2.1", | ||
@@ -43,0 +49,0 @@ "supertest": "^6.0.1" |
@@ -22,6 +22,9 @@ # Express XSS Sanitizer | ||
``` | ||
You can add options to specify allowed keys to be skipped at sanitization | ||
You can add options to specify allowed keys or allowed attributes to be skipped at sanitization | ||
``` | ||
const options = { | ||
allowedKeys: ['name'] | ||
allowedKeys: ['name'], | ||
allowedAttributes: { | ||
input: ['value'], | ||
}, | ||
} | ||
@@ -28,0 +31,0 @@ |
887
test/test.js
@@ -5,12 +5,12 @@ /* eslint-disable prettier/prettier */ | ||
"use strict"; | ||
'use strict'; | ||
const request = require("supertest"); | ||
const express = require("express"); | ||
const bodyParser = require("body-parser"); | ||
const { expect } = require("chai"); | ||
const { xss, sanitize } = require("../index"); | ||
const request = require('supertest'); | ||
const express = require('express'); | ||
const bodyParser = require('body-parser'); | ||
const { expect } = require('chai'); | ||
const { xss, sanitize } = require('../index'); | ||
describe("Express xss Sanitize", function () { | ||
describe("Sanitize with default settings as middleware before all routes", function () { | ||
describe('Express xss Sanitize', function () { | ||
describe('Sanitize with default settings as middleware before all routes', function () { | ||
const app = express(); | ||
@@ -21,3 +21,3 @@ app.use(bodyParser.urlencoded({ extended: true })); | ||
app.post("/body", function (req, res) { | ||
app.post('/body', function (req, res) { | ||
res.status(200).json({ | ||
@@ -28,3 +28,3 @@ body: req.body, | ||
app.post("/headers", function (req, res) { | ||
app.post('/headers', function (req, res) { | ||
res.status(200).json({ | ||
@@ -35,3 +35,3 @@ headers: req.headers, | ||
app.get("/query", function (req, res) { | ||
app.get('/query', function (req, res) { | ||
res.status(200).json({ | ||
@@ -41,11 +41,11 @@ query: req.query, | ||
}); | ||
describe("Sanitize simple object", function () { | ||
it("should sanitize clean body.", function (done) { | ||
describe('Sanitize simple object', function () { | ||
it('should sanitize clean body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
y: 4, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}) | ||
@@ -58,4 +58,4 @@ .expect( | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}, | ||
@@ -67,10 +67,10 @@ }, | ||
it("should sanitize clean headers.", function (done) { | ||
it('should sanitize clean headers.', function (done) { | ||
request(app) | ||
.post("/headers") | ||
.post('/headers') | ||
.set({ | ||
y: "4", | ||
z: "false", | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
y: '4', | ||
z: 'false', | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}) | ||
@@ -80,6 +80,6 @@ .expect(200) | ||
expect(res.body.headers).to.include({ | ||
y: "4", | ||
z: "false", | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
y: '4', | ||
z: 'false', | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}); | ||
@@ -90,5 +90,5 @@ }) | ||
it("should sanitize clean query.", function (done) { | ||
it('should sanitize clean query.', function (done) { | ||
request(app) | ||
.get("/query?y=4&z=false&w=bla bla&a=<p>Test</p>") | ||
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>') | ||
.expect( | ||
@@ -98,6 +98,6 @@ 200, | ||
query: { | ||
y: "4", | ||
z: "false", | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
y: '4', | ||
z: 'false', | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}, | ||
@@ -109,7 +109,7 @@ }, | ||
it("should sanitize dirty body.", function (done) { | ||
it('should sanitize dirty body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -122,5 +122,5 @@ c: '<img src="/"/>', | ||
body: { | ||
a: "", | ||
b: "<p>Test</p>", | ||
c: "", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '', | ||
}, | ||
@@ -132,7 +132,5 @@ }, | ||
it("should sanitize dirty query.", function (done) { | ||
it('should sanitize dirty query.', function (done) { | ||
request(app) | ||
.get( | ||
'/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>', | ||
) | ||
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>') | ||
.expect( | ||
@@ -142,5 +140,5 @@ 200, | ||
query: { | ||
a: "", | ||
b: "<p>Test</p>", | ||
c: "", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '', | ||
}, | ||
@@ -152,7 +150,7 @@ }, | ||
it("should sanitize dirty headers.", function (done) { | ||
it('should sanitize dirty headers.', function (done) { | ||
request(app) | ||
.post("/headers") | ||
.post('/headers') | ||
.set({ | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -164,5 +162,5 @@ c: '<img src="/"/>', | ||
expect(res.body.headers).to.include({ | ||
a: "", | ||
b: "<p>Test</p>", | ||
c: "", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '', | ||
}); | ||
@@ -174,16 +172,16 @@ }) | ||
describe("Sanitize complex object", function () { | ||
it("should sanitize clean body.", function (done) { | ||
describe('Sanitize complex object', function () { | ||
it('should sanitize clean body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
y: 4, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -193,5 +191,5 @@ }, | ||
obj: { | ||
e: "Test1", | ||
e: 'Test1', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -206,9 +204,9 @@ }, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -218,5 +216,5 @@ }, | ||
obj: { | ||
e: "Test1", | ||
e: 'Test1', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -230,7 +228,7 @@ }, | ||
it("should sanitize dirty body.", function (done) { | ||
it('should sanitize dirty body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -240,10 +238,5 @@ c: '<img src="/"/>', | ||
"<h1 onclick='return false;'>H1 Test</h1>", | ||
"bla bla", | ||
'bla bla', | ||
{ | ||
i: [ | ||
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", | ||
"bla bla", | ||
false, | ||
5, | ||
], | ||
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5], | ||
j: '<a href="/" onclick="return 0;">Link</a>', | ||
@@ -255,3 +248,3 @@ }, | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -264,10 +257,10 @@ }, | ||
body: { | ||
a: "", | ||
b: "<p>Test</p>", | ||
c: "", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -277,5 +270,5 @@ }, | ||
obj: { | ||
e: "", | ||
e: '', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -291,6 +284,6 @@ }, | ||
describe("Sanitize with custom options as middleware before all routes", function () { | ||
describe('Sanitize with custom options as middleware before all routes', function () { | ||
const app = express(); | ||
const options = { | ||
allowedKeys: ["c"], | ||
allowedKeys: ['c'], | ||
}; | ||
@@ -301,3 +294,3 @@ app.use(bodyParser.urlencoded({ extended: true })); | ||
app.post("/body", function (req, res) { | ||
app.post('/body', function (req, res) { | ||
res.status(200).json({ | ||
@@ -308,3 +301,3 @@ body: req.body, | ||
app.post("/headers", function (req, res) { | ||
app.post('/headers', function (req, res) { | ||
res.status(200).json({ | ||
@@ -315,3 +308,3 @@ headers: req.headers, | ||
app.get("/query", function (req, res) { | ||
app.get('/query', function (req, res) { | ||
res.status(200).json({ | ||
@@ -321,11 +314,11 @@ query: req.query, | ||
}); | ||
describe("Sanitize simple object", function () { | ||
it("should sanitize clean body.", function (done) { | ||
describe('Sanitize simple object', function () { | ||
it('should sanitize clean body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
y: 4, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}) | ||
@@ -338,4 +331,4 @@ .expect( | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}, | ||
@@ -347,10 +340,10 @@ }, | ||
it("should sanitize clean headers.", function (done) { | ||
it('should sanitize clean headers.', function (done) { | ||
request(app) | ||
.post("/headers") | ||
.post('/headers') | ||
.set({ | ||
y: "4", | ||
z: "false", | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
y: '4', | ||
z: 'false', | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}) | ||
@@ -360,6 +353,6 @@ .expect(200) | ||
expect(res.body.headers).to.include({ | ||
y: "4", | ||
z: "false", | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
y: '4', | ||
z: 'false', | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}); | ||
@@ -370,5 +363,5 @@ }) | ||
it("should sanitize clean query.", function (done) { | ||
it('should sanitize clean query.', function (done) { | ||
request(app) | ||
.get("/query?y=4&z=false&w=bla bla&a=<p>Test</p>") | ||
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>') | ||
.expect( | ||
@@ -378,6 +371,6 @@ 200, | ||
query: { | ||
y: "4", | ||
z: "false", | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
y: '4', | ||
z: 'false', | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}, | ||
@@ -389,7 +382,7 @@ }, | ||
it("should sanitize dirty body.", function (done) { | ||
it('should sanitize dirty body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -402,4 +395,4 @@ c: '<img src="/"/>', | ||
body: { | ||
a: "", | ||
b: "<p>Test</p>", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '<img src="/"/>', | ||
@@ -412,7 +405,5 @@ }, | ||
it("should sanitize dirty query.", function (done) { | ||
it('should sanitize dirty query.', function (done) { | ||
request(app) | ||
.get( | ||
'/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>', | ||
) | ||
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>') | ||
.expect( | ||
@@ -422,4 +413,4 @@ 200, | ||
query: { | ||
a: "", | ||
b: "<p>Test</p>", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '<img src="/"/>', | ||
@@ -432,7 +423,7 @@ }, | ||
it("should sanitize dirty headers.", function (done) { | ||
it('should sanitize dirty headers.', function (done) { | ||
request(app) | ||
.post("/headers") | ||
.post('/headers') | ||
.set({ | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -444,4 +435,4 @@ c: '<img src="/"/>', | ||
expect(res.body.headers).to.include({ | ||
a: "", | ||
b: "<p>Test</p>", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '<img src="/"/>', | ||
@@ -454,16 +445,16 @@ }); | ||
describe("Sanitize complex object", function () { | ||
it("should sanitize clean body.", function (done) { | ||
describe('Sanitize complex object', function () { | ||
it('should sanitize clean body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
y: 4, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -473,5 +464,5 @@ }, | ||
obj: { | ||
e: "Test1", | ||
e: 'Test1', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -486,9 +477,9 @@ }, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -498,5 +489,5 @@ }, | ||
obj: { | ||
e: "Test1", | ||
e: 'Test1', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -510,7 +501,7 @@ }, | ||
it("should sanitize dirty body.", function (done) { | ||
it('should sanitize dirty body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -520,10 +511,5 @@ c: '<img src="/"/>', | ||
"<h1 onclick='return false;'>H1 Test</h1>", | ||
"bla bla", | ||
'bla bla', | ||
{ | ||
i: [ | ||
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", | ||
"bla bla", | ||
false, | ||
5, | ||
], | ||
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5], | ||
j: '<a href="/" onclick="return 0;">Link</a>', | ||
@@ -535,3 +521,3 @@ }, | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -544,10 +530,10 @@ }, | ||
body: { | ||
a: "", | ||
b: "<p>Test</p>", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '<img src="/"/>', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -557,5 +543,5 @@ }, | ||
obj: { | ||
e: "", | ||
e: '', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -571,3 +557,3 @@ }, | ||
describe("Sanitize with default settings as middleware before each route", function () { | ||
describe('Sanitize with default settings as middleware before each route', function () { | ||
const app = express(); | ||
@@ -577,3 +563,3 @@ app.use(bodyParser.urlencoded({ extended: true })); | ||
app.post("/body", xss(), function (req, res) { | ||
app.post('/body', xss(), function (req, res) { | ||
res.status(200).json({ | ||
@@ -584,3 +570,3 @@ body: req.body, | ||
app.post("/headers", xss(), function (req, res) { | ||
app.post('/headers', xss(), function (req, res) { | ||
res.status(200).json({ | ||
@@ -591,3 +577,3 @@ headers: req.headers, | ||
app.get("/query", function (req, res) { | ||
app.get('/query', function (req, res) { | ||
res.status(200).json({ | ||
@@ -597,11 +583,11 @@ query: req.query, | ||
}); | ||
describe("Sanitize simple object", function () { | ||
it("should sanitize clean body.", function (done) { | ||
describe('Sanitize simple object', function () { | ||
it('should sanitize clean body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
y: 4, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}) | ||
@@ -614,4 +600,4 @@ .expect( | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}, | ||
@@ -623,10 +609,10 @@ }, | ||
it("should sanitize clean headers.", function (done) { | ||
it('should sanitize clean headers.', function (done) { | ||
request(app) | ||
.post("/headers") | ||
.post('/headers') | ||
.set({ | ||
y: "4", | ||
z: "false", | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
y: '4', | ||
z: 'false', | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}) | ||
@@ -636,6 +622,6 @@ .expect(200) | ||
expect(res.body.headers).to.include({ | ||
y: "4", | ||
z: "false", | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
y: '4', | ||
z: 'false', | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}); | ||
@@ -646,5 +632,5 @@ }) | ||
it("should sanitize clean query.", function (done) { | ||
it('should sanitize clean query.', function (done) { | ||
request(app) | ||
.get("/query?y=4&z=false&w=bla bla&a=<p>Test</p>") | ||
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>') | ||
.expect( | ||
@@ -654,6 +640,6 @@ 200, | ||
query: { | ||
y: "4", | ||
z: "false", | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
y: '4', | ||
z: 'false', | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}, | ||
@@ -665,7 +651,7 @@ }, | ||
it("should sanitize dirty body.", function (done) { | ||
it('should sanitize dirty body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -678,5 +664,5 @@ c: '<img src="/"/>', | ||
body: { | ||
a: "", | ||
b: "<p>Test</p>", | ||
c: "", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '', | ||
}, | ||
@@ -688,7 +674,5 @@ }, | ||
it("should not sanitize dirty query.", function (done) { | ||
it('should not sanitize dirty query.', function (done) { | ||
request(app) | ||
.get( | ||
'/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>', | ||
) | ||
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>') | ||
.expect( | ||
@@ -698,3 +682,3 @@ 200, | ||
query: { | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -708,7 +692,7 @@ c: '<img src="/"/>', | ||
it("should sanitize dirty headers.", function (done) { | ||
it('should sanitize dirty headers.', function (done) { | ||
request(app) | ||
.post("/headers") | ||
.post('/headers') | ||
.set({ | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -720,5 +704,5 @@ c: '<img src="/"/>', | ||
expect(res.body.headers).to.include({ | ||
a: "", | ||
b: "<p>Test</p>", | ||
c: "", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '', | ||
}); | ||
@@ -730,16 +714,16 @@ }) | ||
describe("Sanitize complex object", function () { | ||
it("should sanitize clean body.", function (done) { | ||
describe('Sanitize complex object', function () { | ||
it('should sanitize clean body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
y: 4, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -749,5 +733,5 @@ }, | ||
obj: { | ||
e: "Test1", | ||
e: 'Test1', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -762,9 +746,9 @@ }, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -774,5 +758,5 @@ }, | ||
obj: { | ||
e: "Test1", | ||
e: 'Test1', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -786,7 +770,7 @@ }, | ||
it("should sanitize dirty body.", function (done) { | ||
it('should sanitize dirty body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -796,10 +780,5 @@ c: '<img src="/"/>', | ||
"<h1 onclick='return false;'>H1 Test</h1>", | ||
"bla bla", | ||
'bla bla', | ||
{ | ||
i: [ | ||
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", | ||
"bla bla", | ||
false, | ||
5, | ||
], | ||
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5], | ||
j: '<a href="/" onclick="return 0;">Link</a>', | ||
@@ -811,3 +790,3 @@ }, | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -820,10 +799,10 @@ }, | ||
body: { | ||
a: "", | ||
b: "<p>Test</p>", | ||
c: "", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -833,5 +812,5 @@ }, | ||
obj: { | ||
e: "", | ||
e: '', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -847,3 +826,3 @@ }, | ||
describe("Sanitize with custom options as middleware before each route", function () { | ||
describe('Sanitize with custom options as middleware before each route', function () { | ||
const app = express(); | ||
@@ -853,3 +832,3 @@ app.use(bodyParser.urlencoded({ extended: true })); | ||
app.post("/body", xss({ allowedKeys: ["c"] }), function (req, res) { | ||
app.post('/body', xss({ allowedKeys: ['c'] }), function (req, res) { | ||
res.status(200).json({ | ||
@@ -860,3 +839,3 @@ body: req.body, | ||
app.post("/headers", xss(), function (req, res) { | ||
app.post('/headers', xss(), function (req, res) { | ||
res.status(200).json({ | ||
@@ -867,3 +846,3 @@ headers: req.headers, | ||
app.get("/query", function (req, res) { | ||
app.get('/query', function (req, res) { | ||
res.status(200).json({ | ||
@@ -873,11 +852,11 @@ query: req.query, | ||
}); | ||
describe("Sanitize simple object", function () { | ||
it("should sanitize clean body.", function (done) { | ||
describe('Sanitize simple object', function () { | ||
it('should sanitize clean body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
y: 4, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}) | ||
@@ -890,4 +869,4 @@ .expect( | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}, | ||
@@ -899,10 +878,10 @@ }, | ||
it("should sanitize clean headers.", function (done) { | ||
it('should sanitize clean headers.', function (done) { | ||
request(app) | ||
.post("/headers") | ||
.post('/headers') | ||
.set({ | ||
y: "4", | ||
z: "false", | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
y: '4', | ||
z: 'false', | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}) | ||
@@ -912,6 +891,6 @@ .expect(200) | ||
expect(res.body.headers).to.include({ | ||
y: "4", | ||
z: "false", | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
y: '4', | ||
z: 'false', | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}); | ||
@@ -922,5 +901,5 @@ }) | ||
it("should sanitize clean query.", function (done) { | ||
it('should sanitize clean query.', function (done) { | ||
request(app) | ||
.get("/query?y=4&z=false&w=bla bla&a=<p>Test</p>") | ||
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>') | ||
.expect( | ||
@@ -930,6 +909,6 @@ 200, | ||
query: { | ||
y: "4", | ||
z: "false", | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
y: '4', | ||
z: 'false', | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}, | ||
@@ -941,7 +920,7 @@ }, | ||
it("should sanitize dirty body.", function (done) { | ||
it('should sanitize dirty body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -954,4 +933,4 @@ c: '<img src="/"/>', | ||
body: { | ||
a: "", | ||
b: "<p>Test</p>", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '<img src="/"/>', | ||
@@ -964,7 +943,5 @@ }, | ||
it("should not sanitize dirty query.", function (done) { | ||
it('should not sanitize dirty query.', function (done) { | ||
request(app) | ||
.get( | ||
'/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>', | ||
) | ||
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>') | ||
.expect( | ||
@@ -974,3 +951,3 @@ 200, | ||
query: { | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -984,7 +961,7 @@ c: '<img src="/"/>', | ||
it("should sanitize dirty headers.", function (done) { | ||
it('should sanitize dirty headers.', function (done) { | ||
request(app) | ||
.post("/headers") | ||
.post('/headers') | ||
.set({ | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -996,5 +973,5 @@ c: '<img src="/"/>', | ||
expect(res.body.headers).to.include({ | ||
a: "", | ||
b: "<p>Test</p>", | ||
c: "", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '', | ||
}); | ||
@@ -1006,16 +983,16 @@ }) | ||
describe("Sanitize complex object", function () { | ||
it("should sanitize clean body.", function (done) { | ||
describe('Sanitize complex object', function () { | ||
it('should sanitize clean body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
y: 4, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -1026,5 +1003,5 @@ c: '<img src="/"/>', | ||
obj: { | ||
e: "Test1", | ||
e: 'Test1', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -1039,9 +1016,9 @@ }, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -1052,5 +1029,5 @@ c: '<img src="/"/>', | ||
obj: { | ||
e: "Test1", | ||
e: 'Test1', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -1064,7 +1041,7 @@ }, | ||
it("should sanitize dirty body.", function (done) { | ||
it('should sanitize dirty body.', function (done) { | ||
request(app) | ||
.post("/body") | ||
.post('/body') | ||
.send({ | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -1074,10 +1051,5 @@ c: '<img src="/"/>', | ||
"<h1 onclick='return false;'>H1 Test</h1>", | ||
"bla bla", | ||
'bla bla', | ||
{ | ||
i: [ | ||
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", | ||
"bla bla", | ||
false, | ||
5, | ||
], | ||
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5], | ||
j: '<a href="/" onclick="return 0;">Link</a>', | ||
@@ -1089,3 +1061,3 @@ }, | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -1098,10 +1070,10 @@ }, | ||
body: { | ||
a: "", | ||
b: "<p>Test</p>", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '<img src="/"/>', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -1111,5 +1083,5 @@ }, | ||
obj: { | ||
e: "", | ||
e: '', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -1125,15 +1097,17 @@ }, | ||
describe("Sanitize data with default settings as function", function () { | ||
describe("Sanitize simple object", function () { | ||
it("should sanitize clean body.", function (done) { | ||
expect(sanitize({ | ||
describe('Sanitize data with default settings as function', function () { | ||
describe('Sanitize simple object', function () { | ||
it('should sanitize clean body.', function (done) { | ||
expect( | ||
sanitize({ | ||
y: 4, | ||
z: false, | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}), | ||
).to.eql({ | ||
y: 4, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
})).to.eql({ | ||
y: 4, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
}); | ||
@@ -1143,11 +1117,13 @@ done(); | ||
it("should sanitize dirty body.", function (done) { | ||
expect(sanitize({ | ||
a: "<script>Test</script>", | ||
b: '<p onclick="return;">Test</p>', | ||
c: '<img src="/"/>', | ||
})).to.eql({ | ||
a: "", | ||
b: "<p>Test</p>", | ||
c: "", | ||
it('should sanitize dirty body.', function (done) { | ||
expect( | ||
sanitize({ | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
c: '<img src="/"/>', | ||
}), | ||
).to.eql({ | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '', | ||
}); | ||
@@ -1158,4 +1134,4 @@ done(); | ||
describe("Sanitize complex object", function () { | ||
it("should sanitize clean body.", function (done) { | ||
describe('Sanitize complex object', function () { | ||
it('should sanitize clean body.', function (done) { | ||
expect( | ||
@@ -1165,9 +1141,9 @@ sanitize({ | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -1177,5 +1153,5 @@ }, | ||
obj: { | ||
e: "Test1", | ||
e: 'Test1', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -1187,9 +1163,9 @@ }, | ||
z: false, | ||
w: "bla bla", | ||
a: "<p>Test</p>", | ||
w: 'bla bla', | ||
a: '<p>Test</p>', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -1199,5 +1175,5 @@ }, | ||
obj: { | ||
e: "Test1", | ||
e: 'Test1', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -1209,6 +1185,6 @@ }, | ||
it("should sanitize dirty body.", function (done) { | ||
it('should sanitize dirty body.', function (done) { | ||
expect( | ||
sanitize({ | ||
a: "<script>Test</script>", | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
@@ -1218,10 +1194,5 @@ c: '<img src="/"/>', | ||
"<h1 onclick='return false;'>H1 Test</h1>", | ||
"bla bla", | ||
'bla bla', | ||
{ | ||
i: [ | ||
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", | ||
"bla bla", | ||
false, | ||
5, | ||
], | ||
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5], | ||
j: '<a href="/" onclick="return 0;">Link</a>', | ||
@@ -1233,3 +1204,3 @@ }, | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -1239,10 +1210,10 @@ }, | ||
).to.eql({ | ||
a: "", | ||
b: "<p>Test</p>", | ||
c: "", | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -1252,5 +1223,5 @@ }, | ||
obj: { | ||
e: "", | ||
e: '', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -1263,7 +1234,5 @@ }, | ||
describe("Sanitize null value", function () { | ||
it("should return null.", function (done) { | ||
expect( | ||
sanitize(null), | ||
).to.eql(null); | ||
describe('Sanitize null value', function () { | ||
it('should return null.', function (done) { | ||
expect(sanitize(null)).to.eql(null); | ||
done(); | ||
@@ -1274,13 +1243,18 @@ }); | ||
describe("Sanitize data with custom options as function", function () { | ||
describe("Sanitize simple object", function () { | ||
it("should sanitize dirty body.", function (done) { | ||
expect(sanitize({ | ||
a: "<script>Test</script>", | ||
b: '<p onclick="return;">Test</p>', | ||
describe('Sanitize data with custom options as function', function () { | ||
describe('Sanitize simple object', function () { | ||
it('should sanitize dirty body.', function (done) { | ||
expect( | ||
sanitize( | ||
{ | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
c: '<img src="/"/>', | ||
}, | ||
{ allowedKeys: ['c'] }, | ||
), | ||
).to.eql({ | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '<img src="/"/>', | ||
}, { allowedKeys: ["c"] })).to.eql({ | ||
a: "", | ||
b: "<p>Test</p>", | ||
c: '<img src="/"/>', | ||
}); | ||
@@ -1291,36 +1265,57 @@ done(); | ||
describe("Sanitize complex object", function () { | ||
it("should sanitize dirty body.", function (done) { | ||
expect(sanitize({ | ||
a: "<script>Test</script>", | ||
b: '<p onclick="return;">Test</p>', | ||
c: '<img src="/"/>', | ||
arr: [ | ||
"<h1 onclick='return false;'>H1 Test</h1>", | ||
"bla bla", | ||
describe('Sanitize complex object with attributes', function () { | ||
it('should sanitize but keep asked attributes.', function (done) { | ||
expect( | ||
sanitize( | ||
{ | ||
i: [ | ||
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", | ||
"bla bla", | ||
false, | ||
5, | ||
d: '<input value="some value" class="test-class" />', | ||
}, | ||
{ | ||
allowedTags: ['input'], | ||
allowedAttributes: { | ||
input: ['value'], | ||
}, | ||
}, | ||
), | ||
).to.eql({ | ||
d: '<input value="some value" />', | ||
}); | ||
done(); | ||
}); | ||
}); | ||
describe('Sanitize complex object', function () { | ||
it('should sanitize dirty body.', function (done) { | ||
expect( | ||
sanitize( | ||
{ | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
c: '<img src="/"/>', | ||
arr: [ | ||
"<h1 onclick='return false;'>H1 Test</h1>", | ||
'bla bla', | ||
{ | ||
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5], | ||
j: '<a href="/" onclick="return 0;">Link</a>', | ||
}, | ||
], | ||
j: '<a href="/" onclick="return 0;">Link</a>', | ||
obj: { | ||
e: '<script>while (true){alert("Test To OO")}</script>', | ||
r: { | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
}, | ||
}, | ||
], | ||
obj: { | ||
e: '<script>while (true){alert("Test To OO")}</script>', | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
}, | ||
}, | ||
}, { allowedKeys: ["e"] })).to.eql({ | ||
a: "", | ||
b: "<p>Test</p>", | ||
c: "", | ||
{ allowedKeys: ['e'] }, | ||
), | ||
).to.eql({ | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '', | ||
arr: [ | ||
"<h1>H1 Test</h1>", | ||
"bla bla", | ||
'<h1>H1 Test</h1>', | ||
'bla bla', | ||
{ | ||
i: ["<h3>H3 Test</h3>", "bla bla", false, 5], | ||
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5], | ||
j: '<a href="/">Link</a>', | ||
@@ -1332,3 +1327,3 @@ }, | ||
r: { | ||
a: "<h6>H6 Test</h6>", | ||
a: '<h6>H6 Test</h6>', | ||
}, | ||
@@ -1342,13 +1337,18 @@ }, | ||
describe("Sanitize data with custom options as function", function () { | ||
describe("Sanitize simple object", function () { | ||
it("should sanitize dirty body.", function (done) { | ||
expect(sanitize({ | ||
a: "<script>Test</script>", | ||
b: '<p onclick="return;">Test</p>', | ||
describe('Sanitize data with custom options as function', function () { | ||
describe('Sanitize simple object', function () { | ||
it('should sanitize dirty body.', function (done) { | ||
expect( | ||
sanitize( | ||
{ | ||
a: '<script>Test</script>', | ||
b: '<p onclick="return;">Test</p>', | ||
c: '<img src="/"/>', | ||
}, | ||
{ allowedKeys: ['c'] }, | ||
), | ||
).to.eql({ | ||
a: '', | ||
b: '<p>Test</p>', | ||
c: '<img src="/"/>', | ||
}, { allowedKeys: ["c"] })).to.eql({ | ||
a: "", | ||
b: "<p>Test</p>", | ||
c: '<img src="/"/>', | ||
}); | ||
@@ -1359,10 +1359,15 @@ done(); | ||
describe("XSS bypass by using prototype pollution issue", function () { | ||
it("should sanitize dirty data after prototype pollution.", function (done) { | ||
describe('XSS bypass by using prototype pollution issue', function () { | ||
it('should sanitize dirty data after prototype pollution.', function (done) { | ||
// eslint-disable-next-line no-extend-native | ||
Object.prototype.allowedTags = ['script']; | ||
expect(sanitize({ | ||
a: "<script>Test</script>", | ||
}, {})).to.eql({ | ||
a: "", | ||
expect( | ||
sanitize( | ||
{ | ||
a: '<script>Test</script>', | ||
}, | ||
{}, | ||
), | ||
).to.eql({ | ||
a: '', | ||
}); | ||
@@ -1369,0 +1374,0 @@ done(); |
40142
9
79
1301
+ Addeddom-serializer@2.0.0(transitive)
+ Addeddomhandler@5.0.3(transitive)
+ Addeddomutils@3.1.0(transitive)
+ Addedentities@4.5.0(transitive)
+ Addedhtmlparser2@8.0.2(transitive)
+ Addedsanitize-html@2.11.0(transitive)
- Removeddom-serializer@1.4.1(transitive)
- Removeddomhandler@4.3.1(transitive)
- Removeddomutils@2.8.0(transitive)
- Removedentities@2.2.0(transitive)
- Removedhtmlparser2@6.1.0(transitive)
- Removedsanitize-html@2.7.3(transitive)
Updatedsanitize-html@~2.11.0