sanitize-html - npm Package Compare versions

Comparing version 1.5.0 to 1.5.1

index.js

		var htmlparser = require('htmlparser2');
		var _ = require('lodash');
		var he = require('he');
		var quoteRegexp = require('regexp-quote');
		@@ -149,8 +148,3 @@
		if (value.length) {
		// Values are ALREADY escaped, calling escapeHtml here
		// results in double escapes.
		// However, a bug in the HTML parser allows you to use malformed
		// markup to slip unescaped quotes through, so we strip them explicitly.
		// @see https://github.com/punkave/sanitize-html/issues/19
		result += '="' + value.replace(/"/g, '"') + '"';
		result += '="' + escapeHtml(value) + '"';
		}
		@@ -172,5 +166,3 @@ } else {
		}
		// It is NOT actually raw text, entities are already escaped.
		// If we call escapeHtml here we wind up double-escaping.
		result += text;
		result += escapeHtml(text);
		if (stack.length) {
		@@ -214,17 +206,7 @@ var frame = stack[stack.length - 1];
		}
		});
		}, { decodeEntities: true });

		parser.write(html);
		parser.end();

		// Invoke recursively until we stop finding
		// clever little nesting exploits
		if (!_recursing) {
		while (true) {
		var newResult = sanitizeHtml(result, options, true);
		if (newResult === result) {
		return result;
		}
		result = newResult;
		}
		}
		return result;
		@@ -243,8 +225,6 @@
		function naughtyHref(href) {
		// So we don't get faked out by a hex or decimal escaped javascript URL #1
		href = he.decode(href);
		// Browsers ignore character codes of 32 (space) and below in a surprising
		// number of situations. Start reading here:
		// https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_tab
		href = href.replace(/[\x00-\x20]+/, '');
		href = href.replace(/[\x00-\x20]+/g, '');
		// Clobber any comments in URLs, which the browser might
		@@ -251,0 +231,0 @@ // interpret inside an XML data island, allowing

package.json

		{
		"name": "sanitize-html",
		"version": "1.5.0",
		"version": "1.5.1",
		"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
		@@ -24,4 +24,3 @@ "main": "index.js",
		"dependencies": {
		"he": "~0.4.1",
		"htmlparser2": "3.7.x",
		"htmlparser2": "3.8.x",
		"lodash": "2.4.x",
		@@ -28,0 +27,0 @@ "regexp-quote": "0.0.0"

README.md

		@@ -192,2 +192,4 @@ # sanitize-html

		1.5.1: updated to htmlparser2 1.8.x. Started using the `decodeEntities` option, which allows us to pass our filter evasion tests without the need to recursively invoke the filter.

		1.5.0: support for `*` wildcards in allowedAttributes. With tests. Thanks to Calvin Montgomery.
		@@ -194,0 +196,0 @@

test/test.js

		@@ -68,3 +68,7 @@ var assert = require("assert");
		it('should dump character codes 1-32 even when escaped with padding rather than trailing ;', function() {
		assert.equal(sanitizeHtml('<a href="java&#0000000script:alert(\'foo\')">Hax</a>'), '<a>Hax</a>');
		assert.equal(sanitizeHtml('<a href="java&#0000001script:alert(\'foo\')">Hax</a>'), '<a>Hax</a>');
		// This one is weird, but the browser does not interpret it
		// as a scheme, so we're OK. That character is 65535, not null. I
		// think it's a limitation of the entities module
		assert.equal(sanitizeHtml('<a href="java&#0000000script:alert(\'foo\')">Hax</a>'), '<a href="java�script:alert(\'foo\')">Hax</a>');
		});
		@@ -291,11 +295,8 @@ it('should still like nice schemes', function() {
		),
		''
		'<img src="javascript:evil"/>'
		);
		// I don't love what I get back here obviously, but
		// it is not an attack vector, although it might be parsed
		// by some browsers as containing an unbalanced close tag.
		assert.equal(
		sanitizeHtml('<<a href="javascript:evil"/>a href="javascript:evil"/>'
		),
		'<<a>a href="javascript:evil"/></a>'
		'<<a>a href="javascript:evil"/></a>'
		);
		@@ -302,0 +303,0 @@ });

sanitize-html - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics

Dependency changes