sanitize-html
Advanced tools
sanitize-html - npm Package Compare versions
Comparing version 1.2.1 to 1.2.2
15
index.js
@@ -17,11 +17,10 @@ var htmlparser = require('htmlparser2'); | ||
| this.updateParentNodeText = function() { | ||
| if (stack.length) { | ||
| var parentFrame = stack[stack.length - 1]; | ||
| parentFrame.text += that.text; | ||
| } | ||
| if (stack.length) { | ||
| var parentFrame = stack[stack.length - 1]; | ||
| parentFrame.text += that.text; | ||
| } | ||
| }; | ||
| } | ||
| if (!options) { | ||
| if (!options) { | ||
| options = sanitizeHtml.defaults; | ||
@@ -206,2 +205,6 @@ } else { | ||
| href = href.replace(/[\x00-\x20]+/, ''); | ||
| // Clobber any comments in URLs, which the browser might | ||
| // interpret inside an XML data island, allowing | ||
| // a javascript: URL to be snuck through | ||
| href = href.replace(/<\!\-\-.*?\-\-\>/g, ''); | ||
| // Case insensitive so we don't get faked out by JAVASCRIPT #1 | ||
@@ -208,0 +211,0 @@ var matches = href.match(/^([a-zA-Z]+)\:/); |
| { | ||
| "name": "sanitize-html", | ||
| "version": "1.2.1", | ||
| "version": "1.2.2", | ||
| "description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -167,2 +167,4 @@ # sanitize-html | ||
| 1.2.2: reject `javascript:` URLs when disguised with an internal comment. This is probably not respected by browsers anyway except when inside an XML data island element, which you almost certainly are not allowing in your `allowedTags`, but we aim to be thorough. Thanks to Jim O'Brien. | ||
| 1.2.1: fixed crashing bug when presented with bad markup. The bug was in the `exclusiveFilter` mechanism. Unit test added. Thanks to Ilya Kantor for catching it. | ||
@@ -169,0 +171,0 @@ |
@@ -52,2 +52,8 @@ var assert = require("assert"); | ||
| }); | ||
| it('should dump a javascript URL with a comment in the middle (probably only respected by browsers in XML data islands, but just in case someone enables those)', function() { | ||
| assert.equal(sanitizeHtml('<a href="java<!-- -->script:alert(\'foo\')">Hax</a>'), '<a>Hax</a>'); | ||
| }); | ||
| it('should not mess up a hashcode with a : in it', function() { | ||
| assert.equal(sanitizeHtml('<a href="awesome.html#this:stuff">Hi</a>'), '<a href="awesome.html#this:stuff">Hi</a>'); | ||
| }); | ||
| it('should dump character codes 1-32 before testing scheme', function() { | ||
@@ -54,0 +60,0 @@ assert.equal(sanitizeHtml('<a href="java\0\t\r\n script:alert(\'foo\')">Hax</a>'), '<a>Hax</a>'); |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by3.02%
32896
- Lines of code
- increased by2.28%
449
- Number of lines in readme file
- increased by0.93%
217