sanitize-html - npm Package Compare versions

Comparing version 1.2.2 to 1.2.3

index.js

		@@ -125,4 +125,7 @@ var htmlparser = require('htmlparser2');
		// Values are ALREADY escaped, calling escapeHtml here
		// results in double escapes
		result += '="' + value + '"';
		// results in double escapes.
		// However, a bug in the HTML parser allows you to use malformed
		// markup to slip unescaped quotes through, so we strip them explicitly.
		// @see https://github.com/punkave/sanitize-html/issues/19
		result += '="' + value.replace(/"/g, '"') + '"';
		}
		@@ -129,0 +132,0 @@ }

package.json

		{
		"name": "sanitize-html",
		"version": "1.2.2",
		"version": "1.2.3",
		"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
		@@ -5,0 +5,0 @@ "main": "index.js",

README.md

		@@ -167,2 +167,4 @@ # sanitize-html

		1.2.3: fixed another possible XSS attack vector; no definitive exploit was found but it looks possible. [See this issue.](https://github.com/punkave/sanitize-html/pull/20) Thanks to Jim O'Brien.

		1.2.2: reject `javascript:` URLs when disguised with an internal comment. This is probably not respected by browsers anyway except when inside an XML data island element, which you almost certainly are not allowing in your `allowedTags`, but we aim to be thorough. Thanks to Jim O'Brien.
		@@ -169,0 +171,0 @@

test/test.js

		@@ -207,3 +207,20 @@ var assert = require("assert");
		});
		it('should not allow a naked = sign followed by an unrelated attribute to result in one merged attribute with unescaped double quote marks', function() {
		assert.equal(
		sanitizeHtml(
		'<IMG SRC= onmouseover="alert(\'XSS\');">',
		{
		allowedTags: [ 'img' ],
		allowedAttributes: {
		img: [ 'src' ]
		}
		}
		),
		// This is weird but not dangerous. Without the &quot there
		// would probably be some way to make it come out as a
		// separate attribute
		'<img src="onmouseover="alert(\'XSS\');"" />'
		);
		});
		});

New alerts