🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more →
sanitize-html
Advanced tools
sanitize-html - npm Package Compare versions
Comparing version 1.2.1 to 1.2.2
15
index.js
@@ -17,11 +17,10 @@ var htmlparser = require('htmlparser2'); | ||
| this.updateParentNodeText = function() { | ||
| if (stack.length) { | ||
| var parentFrame = stack[stack.length - 1]; | ||
| parentFrame.text += that.text; | ||
| } | ||
| if (stack.length) { | ||
| var parentFrame = stack[stack.length - 1]; | ||
| parentFrame.text += that.text; | ||
| } | ||
| }; | ||
| } | ||
| if (!options) { | ||
| if (!options) { | ||
| options = sanitizeHtml.defaults; | ||
@@ -206,2 +205,6 @@ } else { | ||
| href = href.replace(/[\x00-\x20]+/, ''); | ||
| // Clobber any comments in URLs, which the browser might | ||
| // interpret inside an XML data island, allowing | ||
| // a javascript: URL to be snuck through | ||
| href = href.replace(/<\!\-\-.*?\-\-\>/g, ''); | ||
| // Case insensitive so we don't get faked out by JAVASCRIPT #1 | ||
@@ -208,0 +211,0 @@ var matches = href.match(/^([a-zA-Z]+)\:/); |
| { | ||
| "name": "sanitize-html", | ||
| "version": "1.2.1", | ||
| "version": "1.2.2", | ||
| "description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -167,2 +167,4 @@ # sanitize-html | ||
| 1.2.2: reject `javascript:` URLs when disguised with an internal comment. This is probably not respected by browsers anyway except when inside an XML data island element, which you almost certainly are not allowing in your `allowedTags`, but we aim to be thorough. Thanks to Jim O'Brien. | ||
| 1.2.1: fixed crashing bug when presented with bad markup. The bug was in the `exclusiveFilter` mechanism. Unit test added. Thanks to Ilya Kantor for catching it. | ||
@@ -169,0 +171,0 @@ |
@@ -52,2 +52,8 @@ var assert = require("assert"); | ||
| }); | ||
| it('should dump a javascript URL with a comment in the middle (probably only respected by browsers in XML data islands, but just in case someone enables those)', function() { | ||
| assert.equal(sanitizeHtml('<a href="java<!-- -->script:alert(\'foo\')">Hax</a>'), '<a>Hax</a>'); | ||
| }); | ||
| it('should not mess up a hashcode with a : in it', function() { | ||
| assert.equal(sanitizeHtml('<a href="awesome.html#this:stuff">Hi</a>'), '<a href="awesome.html#this:stuff">Hi</a>'); | ||
| }); | ||
| it('should dump character codes 1-32 before testing scheme', function() { | ||
@@ -54,0 +60,0 @@ assert.equal(sanitizeHtml('<a href="java\0\t\r\n script:alert(\'foo\')">Hax</a>'), '<a>Hax</a>'); |
No alert changes
Improved metrics
- Total package byte prevSize
32896
3.02%- Lines of code
449
2.28%- Number of lines in readme file
217
0.93%No dependency changes