sanitize-html
Advanced tools
Comparing version 1.5.0 to 1.5.1
30
index.js
var htmlparser = require('htmlparser2'); | ||
var _ = require('lodash'); | ||
var he = require('he'); | ||
var quoteRegexp = require('regexp-quote'); | ||
@@ -149,8 +148,3 @@ | ||
if (value.length) { | ||
// Values are ALREADY escaped, calling escapeHtml here | ||
// results in double escapes. | ||
// However, a bug in the HTML parser allows you to use malformed | ||
// markup to slip unescaped quotes through, so we strip them explicitly. | ||
// @see https://github.com/punkave/sanitize-html/issues/19 | ||
result += '="' + value.replace(/"/g, '"') + '"'; | ||
result += '="' + escapeHtml(value) + '"'; | ||
} | ||
@@ -172,5 +166,3 @@ } else { | ||
} | ||
// It is NOT actually raw text, entities are already escaped. | ||
// If we call escapeHtml here we wind up double-escaping. | ||
result += text; | ||
result += escapeHtml(text); | ||
if (stack.length) { | ||
@@ -214,17 +206,7 @@ var frame = stack[stack.length - 1]; | ||
} | ||
}); | ||
}, { decodeEntities: true }); | ||
parser.write(html); | ||
parser.end(); | ||
// Invoke recursively until we stop finding | ||
// clever little nesting exploits | ||
if (!_recursing) { | ||
while (true) { | ||
var newResult = sanitizeHtml(result, options, true); | ||
if (newResult === result) { | ||
return result; | ||
} | ||
result = newResult; | ||
} | ||
} | ||
return result; | ||
@@ -243,8 +225,6 @@ | ||
function naughtyHref(href) { | ||
// So we don't get faked out by a hex or decimal escaped javascript URL #1 | ||
href = he.decode(href); | ||
// Browsers ignore character codes of 32 (space) and below in a surprising | ||
// number of situations. Start reading here: | ||
// https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_tab | ||
href = href.replace(/[\x00-\x20]+/, ''); | ||
href = href.replace(/[\x00-\x20]+/g, ''); | ||
// Clobber any comments in URLs, which the browser might | ||
@@ -251,0 +231,0 @@ // interpret inside an XML data island, allowing |
{ | ||
"name": "sanitize-html", | ||
"version": "1.5.0", | ||
"version": "1.5.1", | ||
"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis", | ||
@@ -24,4 +24,3 @@ "main": "index.js", | ||
"dependencies": { | ||
"he": "~0.4.1", | ||
"htmlparser2": "3.7.x", | ||
"htmlparser2": "3.8.x", | ||
"lodash": "2.4.x", | ||
@@ -28,0 +27,0 @@ "regexp-quote": "0.0.0" |
@@ -192,2 +192,4 @@ # sanitize-html | ||
1.5.1: updated to htmlparser2 1.8.x. Started using the `decodeEntities` option, which allows us to pass our filter evasion tests without the need to recursively invoke the filter. | ||
1.5.0: support for `*` wildcards in allowedAttributes. With tests. Thanks to Calvin Montgomery. | ||
@@ -194,0 +196,0 @@ |
@@ -68,3 +68,7 @@ var assert = require("assert"); | ||
it('should dump character codes 1-32 even when escaped with padding rather than trailing ;', function() { | ||
assert.equal(sanitizeHtml('<a href="java�script:alert(\'foo\')">Hax</a>'), '<a>Hax</a>'); | ||
assert.equal(sanitizeHtml('<a href="javascript:alert(\'foo\')">Hax</a>'), '<a>Hax</a>'); | ||
// This one is weird, but the browser does not interpret it | ||
// as a scheme, so we're OK. That character is 65535, not null. I | ||
// think it's a limitation of the entities module | ||
assert.equal(sanitizeHtml('<a href="java�script:alert(\'foo\')">Hax</a>'), '<a href="java�script:alert(\'foo\')">Hax</a>'); | ||
}); | ||
@@ -291,11 +295,8 @@ it('should still like nice schemes', function() { | ||
), | ||
'' | ||
'<img src="javascript:evil"/>' | ||
); | ||
// I don't love what I get back here obviously, but | ||
// it is not an attack vector, although it might be parsed | ||
// by some browsers as containing an unbalanced close tag. | ||
assert.equal( | ||
sanitizeHtml('<<a href="javascript:evil"/>a href="javascript:evil"/>' | ||
), | ||
'<<a>a href="javascript:evil"/></a>' | ||
'<<a>a href="javascript:evil"/></a>' | ||
); | ||
@@ -302,0 +303,0 @@ }); |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
3
255
39358
585
+ Addeddomhandler@2.3.0(transitive)
+ Addedhtmlparser2@3.8.3(transitive)
- Removedhe@~0.4.1
- Removeddomhandler@2.2.1(transitive)
- Removedhe@0.4.1(transitive)
- Removedhtmlparser2@3.7.3(transitive)
Updatedhtmlparser2@3.8.x