sanitize-html - npm Package Compare versions

Comparing version 1.0.1 to 1.0.2

index.js

		var htmlparser = require('htmlparser2');
		var _ = require('lodash');
		var ent = require('ent');

		@@ -114,3 +115,6 @@ module.exports = sanitizeHtml;
		function naughtyHref(href) {
		var matches = href.match(/^([a-z]+)\:/);
		// So we don't get faked out by a hex or decimal escaped javascript URL #1
		href = ent.decode(href);
		// Case insensitive so we don't get faked out by JAVASCRIPT #1
		var matches = href.match(/^([a-zA-Z]+)\:/);
		if (!matches) {
		@@ -117,0 +121,0 @@ // No scheme = no way to inject js (right?)

package.json

		{
		"name": "sanitize-html",
		"version": "1.0.1",
		"version": "1.0.2",
		"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
		@@ -25,4 +25,5 @@ "main": "index.js",
		"lodash": "~1.3.1",
		"htmlparser2": "~3.3.0"
		"htmlparser2": "~3.3.0",
		"ent": "~0.1.0"
		}
		}
		}

README.md

		@@ -72,2 +72,6 @@ # sanitize-html

		1.0.2: fixed a javascript URL attack vector. naughtyHref must entity-decode URLs and also check for mixed-case scheme names. Thanks to pinpickle.

		1.0.1: Doc tweaks.

		1.0.0: If the style tag is disallowed, then its content should be dumped, so that it doesn't appear as text. We were already doing this for script tags, however in both cases the content is now preserved if the tag is explicitly allowed.
		@@ -74,0 +78,0 @@

test/test.js

		@@ -46,3 +46,9 @@ var assert = require("assert");
		});
		it('should dump a sneaky encoded javascript url', function() {
		assert.equal(sanitizeHtml('<a href="javascript:alert('XSS')">Hax</a>'), '<a href>Hax</a>');
		});
		it('should dump an uppercase javascript url', function() {
		assert.equal(sanitizeHtml('<a href="JAVASCRIPT:alert(\'foo\')">Hax</a>'), '<a href>Hax</a>');
		});
		});

New alerts