Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

xss

Package Overview
Dependencies
Maintainers
1
Versions
71
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

xss - npm Package Compare versions

Comparing version 0.0.4 to 0.0.5

409

build/xss.js

@@ -1,2 +0,2 @@

;(function(e,t,n,r){function i(r){if(!n[r]){if(!t[r]){if(e)return e(r);throw new Error("Cannot find module '"+r+"'")}var s=n[r]={exports:{}};t[r][0](function(e){var n=t[r][1][e];return i(n?n:e)},s,s.exports)}return n[r].exports}for(var s=0;s<r.length;s++)i(r[s]);return i})(typeof require!=="undefined"&&require,{1:[function(require,module,exports){/**
;(function(e,t,n,r){function i(r){if(!n[r]){if(!t[r]){if(e)return e(r);throw new Error("Cannot find module '"+r+"'")}var s=n[r]={exports:{}};t[r][0](function(e){var n=t[r][1][e];return i(n?n:e)},s,s.exports)}return n[r].exports}for(var s=0;s<r.length;s++)i(r[s]);return i})(typeof require!=="undefined"&&require,{1:[function(require,module,exports){(function(){/**
* 过滤XSS攻击

@@ -12,36 +12,36 @@ *

var defaultWhiteList = {
h1: ['style', 'class'],
h2: ['style', 'class'],
h3: ['style', 'class'],
h4: ['style', 'class'],
h5: ['style', 'class'],
h6: ['style', 'class'],
hr: ['style', 'class'],
span: ['style', 'class'],
strong: ['style', 'class'],
b: ['style', 'class'],
i: ['style', 'class'],
h1: [],
h2: [],
h3: [],
h4: [],
h5: [],
h6: [],
hr: [],
span: [],
strong: [],
b: [],
i: [],
br: [],
p: ['style', 'class'],
pre: ['style', 'class'],
code: ['style', 'class'],
a: ['style', 'class', 'target', 'href', 'title'],
img: ['style', 'class', 'src', 'alt', 'title'],
div: ['style', 'class'],
table: ['style', 'class', 'width', 'border'],
tr: ['style', 'class'],
td: ['style', 'class', 'width', 'colspan'],
th: ['style', 'class', 'width', 'colspan'],
tbody: ['style', 'class'],
ul: ['style', 'class'],
li: ['style', 'class'],
ol: ['style', 'class'],
dl: ['style', 'class'],
dt: ['style', 'class'],
em: ['style'],
cite: ['style'],
section:['style', 'class'],
header: ['style', 'class'],
footer: ['style', 'class'],
blockquote: ['style', 'class'],
p: [],
pre: [],
code: [],
a: ['target', 'href', 'title'],
img: ['src', 'alt', 'title'],
div: [],
table: ['width', 'border'],
tr: [],
td: ['width', 'colspan'],
th: ['width', 'colspan'],
tbody: [],
ul: [],
li: [],
ol: [],
dl: [],
dt: [],
em: [],
cite: [],
section:[],
header: [],
footer: [],
blockquote: [],
audio: ['autoplay', 'controls', 'loop', 'preload', 'src'],

@@ -51,27 +51,43 @@ video: ['autoplay', 'controls', 'loop', 'preload', 'src', 'height', 'width'],

// 正则表达式
var REGEXP_LT = /</g;
var REGEXP_GT = />/g;
var REGEXP_QUOTE = /"/g;
var REGEXP_ATTR_NAME = /[^a-zA-Z0-9_:\.\-]/img;
var REGEXP_ATTR_VALUE = /&#([a-zA-Z0-9]*);?/img;
var REGEXP_DEFAULT_ON_TAG_ATTR_1 = /\/\*|\*\//mg;
var REGEXP_DEFAULT_ON_TAG_ATTR_2 = /^[\s"'`]*((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/ig;
var REGEXP_DEFAULT_ON_TAG_ATTR_3 = /\/\*|\*\//mg;
var REGEXP_DEFAULT_ON_TAG_ATTR_4 = /((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/ig;
/**
* 过滤属性值
*
* @param {string} tag 标签名
* @param {string} attr 属性名
* @param {string} value 属性值
* @return {string} 若不需要修改属性值,不返回任何值
* @param {String} tag 标签名
* @param {String} attr 属性名
* @param {String} value 属性值
* @return {String} 若不需要修改属性值,不返回任何值
*/
var defaultOnTagAttr = function (tag, attr, value) {
function defaultOnTagAttr (tag, attr, value) {
if (attr === 'href' || attr === 'src') {
if (/\/\*|\*\//mg.test(value)) {
REGEXP_DEFAULT_ON_TAG_ATTR_1.lastIndex = 0;
if (REGEXP_DEFAULT_ON_TAG_ATTR_1.test(value)) {
return '#';
}
if (/^[\s"'`]*((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/ig.test(value)) {
REGEXP_DEFAULT_ON_TAG_ATTR_2.lastIndex = 0;
if (REGEXP_DEFAULT_ON_TAG_ATTR_2.test(value)) {
return '#';
}
} else if (attr === 'style') {
if (/\/\*|\*\//mg.test(value)) {
REGEXP_DEFAULT_ON_TAG_ATTR_3.lastIndex = 0;
if (REGEXP_DEFAULT_ON_TAG_ATTR_3.test(value)) {
return '#';
}
if (/((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/ig.test(value)) {
REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;
if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) {
return '';
}
}
};
}

@@ -81,13 +97,13 @@ /**

*
* @param {string} tag 标签名
* @param {string} html 标签HTML代码(包括属性值)
* @param {object} options 更多属性:
* @param {String} tag 标签名
* @param {String} html 标签HTML代码(包括属性值)
* @param {Object} options 更多属性:
* position:在返回的HTML代码中的开始位置
* originalPosition:在原HTML代码中的开始位置
* isClosing:是否为闭合标签,如</a>
* @return {string} 若不返回任何值,则默认替换<>为&lt;&gt;
* @return {String} 若不返回任何值,则默认替换<>为&lt;&gt;
*/
var defaultOnIgnoreTag = function (tag, html, options) {
function defaultOnIgnoreTag (tag, html, options) {
return noTag(html);
};
}

@@ -98,152 +114,183 @@

*
* @param {string} text
* @return {string}
* @param {String} text
* @return {String}
*/
var noTag = function (text) {
return text.replace(/</g, '&lt;').replace(/>/g, '&gt;');
};
function noTag (text) {
return text.replace(REGEXP_LT, '&lt;').replace(REGEXP_GT, '&gt;');
}
/**
* XSS过滤
* 过滤unicode字符(与REGEXP_ATTR_VALUE配合使用)
*
* @param {string} html 要过滤的HTML代码
* @param {object} options 选项:whiteList, onTagAttr, onIgnoreTag
* @return {string}
*/
exports = module.exports = function (html, options) {
function replaceUnicode (str, code) {
return String.fromCharCode(parseInt(code));
}
/**
* XSS过滤对象
*
* @param {Object} options 选项:whiteList, onTagAttr, onIgnoreTag
*/
function FilterXSS (options) {
'use strict';
options = options || {};
var whiteList = options.whiteList || exports.whiteList;
var onTagAttr = options.onTagAttr || exports.onTagAttr;
var onIgnoreTag = options.onIgnoreTag || exports.onIgnoreTag;
this.options = options = options || {};
this.whiteList = options.whiteList || exports.whiteList;
this.onTagAttr = options.onTagAttr || exports.onTagAttr;
this.onIgnoreTag = options.onIgnoreTag || exports.onIgnoreTag;
}
var rethtml = '';
/**
* 过滤不合法的属性
*
* @param {String} tagName 标签名称
* @param {String} attrs 标签属性部分
* @return {String}
*/
FilterXSS.prototype.filterAttributes = function (tagName, attrs) {
'use strict';
tagName = tagName.toLowerCase();
var me = this;
var whites = this.whiteList[tagName];
var lastPos = 0;
var tagStart = false;
var quoteStart = false;
var currentPos = 0;
var _attrs = '';
var tmpName = false;
var hasSprit = false;
/**
* 过滤不合法的属性
*/
var filterAttributes = function (tagName, attrs) {
tagName = tagName.toLowerCase();
var whites = whiteList[tagName];
var lastPos = 0;
var _attrs = [];
var tmpName = false;
var hasSprit = false;
var addAttr = function (name, value) {
name = name.trim();
if (!hasSprit && name === '/') {
hasSprit = true;
return;
};
name = name.replace(/[^a-zA-Z0-9_:\.\-]/img, '').toLowerCase();
if (name.length < 1) return;
if (whites.indexOf(name) !== -1) {
if (value) {
value = value.trim().replace(/"/g, '&quote;');
// 转换unicode字符 及过滤不可见字符
value = value.replace(/&#([a-zA-Z0-9]*);?/img, function (str, code) {
code = parseInt(code);
return String.fromCharCode(code);
});
var _value = '';
for (var i = 0, len = value.length; i < len; i++) {
_value += value.charCodeAt(i) < 32 ? ' ' : value[i];
}
value = _value.trim();
var newValue = onTagAttr(tagName, name, value);
if (typeof(newValue) !== 'undefined') {
value = newValue;
}
}
_attrs.push(name + (value ? '="' + value + '"' : ''));
}
var addAttr = function (name, value) {
name = name.trim();
if (!hasSprit && name === '/') {
hasSprit = true;
return;
};
for (var i = 0, len = attrs.length; i < len; i++) {
var c = attrs[i];
if (tmpName === false && c === '=') {
tmpName = attrs.slice(lastPos, i);
lastPos = i + 1;
continue;
}
if (tmpName !== false) {
if (i === lastPos && (c === '"' || c === "'")) {
var j = attrs.indexOf(c, i + 1);
if (j === -1) {
break;
} else {
var v = attrs.slice(lastPos + 1, j).trim();
addAttr(tmpName, v);
tmpName = false;
i = j;
lastPos = i + 1;
continue;
}
name = name.replace(REGEXP_ATTR_NAME, '').toLowerCase();
if (name.length < 1) return;
if (whites.indexOf(name) !== -1) {
if (value) {
value = value.trim().replace(REGEXP_QUOTE, '&quote;');
// 转换unicode字符 及过滤不可见字符
value = value.replace(REGEXP_ATTR_VALUE, replaceUnicode);
var _value = '';
for (var i = 0, len = value.length; i < len; i++) {
_value += value.charCodeAt(i) < 32 ? ' ' : value[i];
}
value = _value.trim();
var newValue = me.onTagAttr(tagName, name, value);
if (typeof newValue !== 'undefined') {
value = newValue;
}
}
if (c === ' ') {
var v = attrs.slice(lastPos, i).trim();
if (tmpName === false) {
addAttr(v);
_attrs += name + (value ? '="' + value + '"' : '') + ' ';
}
};
for (var i = 0, len = attrs.length; i < len; i++) {
var c = attrs[i];
if (tmpName === false && c === '=') {
tmpName = attrs.slice(lastPos, i);
lastPos = i + 1;
continue;
}
if (tmpName !== false) {
if (i === lastPos && (c === '"' || c === "'")) {
var j = attrs.indexOf(c, i + 1);
if (j === -1) {
break;
} else {
var v = attrs.slice(lastPos + 1, j).trim();
addAttr(tmpName, v);
tmpName = false;
i = j;
lastPos = i + 1;
continue;
}
tmpName = false;
lastPos = i + 1;
continue;
}
}
if (lastPos < attrs.length) {
if (c === ' ') {
var v = attrs.slice(lastPos, i).trim();
if (tmpName === false) {
addAttr(attrs.slice(lastPos));
addAttr(v);
} else {
addAttr(tmpName, attrs.slice(lastPos));
addAttr(tmpName, v);
}
tmpName = false;
lastPos = i + 1;
continue;
}
if (hasSprit) _attrs.push('/');
return _attrs.join(' ');
};
}
/**
* 检查标签是否合法
*/
var addNewTag = function (tag, end) {
rethtml += noTag(html.slice(lastPos, tagStart));
lastPos = end + 1;
var spos = tag.slice(0, 2) === '</' ? 2 : 1;
if (lastPos < attrs.length) {
if (tmpName === false) {
addAttr(attrs.slice(lastPos));
} else {
addAttr(tmpName, attrs.slice(lastPos));
}
}
if (hasSprit) _attrs += '/';
return _attrs.trim();
};
/**
* 检查标签是否合法
*
* @param {String} tag 标签文本,如“<a”
* @param {Number} currentPos 原HTML的当前位置
* @param {Number} targetPos 生成的HTML的当前位置
*/
FilterXSS.prototype.addNewTag = function (tag, currentPos, targetPos) {
'use strict';
var rethtml = '';
var spos = tag.slice(0, 2) === '</' ? 2 : 1;
var i = tag.indexOf(' ');
var i = tag.indexOf(' ');
if (i === -1) {
var tagName = tag.slice(spos, tag.length - 1).trim();
} else {
var tagName = tag.slice(spos, i + 1).trim();
}
tagName = tagName.toLowerCase();
if (tagName in this.whiteList) {
// 过滤不合法的属性
if (i === -1) {
var tagName = tag.slice(spos, tag.length - 1).trim();
rethtml += tag.slice(0, spos) + tagName + '>';
} else {
var tagName = tag.slice(spos, i + 1).trim();
var attrs = this.filterAttributes(tagName, tag.slice(i + 1, tag.length - 1).trim());
rethtml += tag.slice(0, spos) + tagName + (attrs.length > 0 ? ' ' + attrs : '') + '>';
}
tagName = tagName.toLowerCase();
if (tagName in whiteList) {
// 过滤不合法的属性
if (i === -1) {
rethtml += tag.slice(0, spos) + tagName + '>';
} else {
var attrs = filterAttributes(tagName, tag.slice(i + 1, tag.length - 1).trim());
rethtml += tag.slice(0, spos) + tagName + (attrs.length > 0 ? ' ' + attrs : '') + '>';
}
} else {
// 过滤不合法的标签
var options = {
isClosing: (spos === 2),
position: rethtml.length,
originalPosition: currentPos - tag.length + 1
};
var tagHtml = onIgnoreTag(tagName, tag, options);
if (typeof(tagHtml) === 'undefined') {
tagHtml = noTag(tag);
}
rethtml += tagHtml;
} else {
// 过滤不合法的标签
var options = {
isClosing: (spos === 2),
position: targetPos,
originalPosition: currentPos - tag.length + 1
};
var tagHtml = this.onIgnoreTag(tagName, tag, options);
if (typeof tagHtml === 'undefined') {
tagHtml = noTag(tag);
}
};
rethtml += tagHtml;
}
return rethtml;
};
/**
* 开始处理
*
* @param {String} html
* @return {String}
*/
FilterXSS.prototype.process = function (html) {
'use strict';
var rethtml = '';
var lastPos = 0;
var tagStart = false;
var quoteStart = false;
var currentPos = 0;
// 逐个分析字符

@@ -266,3 +313,5 @@ for (var currentPos = 0, len = html.length; currentPos < len; currentPos++) {

if (c === '>') {
addNewTag(html.slice(tagStart, currentPos + 1), currentPos);
rethtml += noTag(html.slice(lastPos, tagStart));
rethtml += this.addNewTag(html.slice(tagStart, currentPos + 1), currentPos, rethtml.length);
lastPos = currentPos + 1;
tagStart = false;

@@ -286,6 +335,21 @@ continue;

}
return rethtml;
};
/**
* XSS过滤
*
* @param {String} html 要过滤的HTML代码
* @param {Object} options 选项:whiteList, onTagAttr, onIgnoreTag
* @return {String}
*/
function filterXSS (html, options) {
var xss = new FilterXSS(options);
return xss.process(html);
};
// 默认配置
exports = module.exports = filterXSS;
exports.FilterXSS = FilterXSS;
exports.whiteList = defaultWhiteList;

@@ -303,2 +367,3 @@ exports.onTagAttr = defaultOnTagAttr;

})()
},{"./utils":2}],2:[function(require,module,exports){/**

@@ -305,0 +370,0 @@ * 工具函数

66

lib/index.js

@@ -12,36 +12,36 @@ /**

var defaultWhiteList = {
h1: ['style', 'class'],
h2: ['style', 'class'],
h3: ['style', 'class'],
h4: ['style', 'class'],
h5: ['style', 'class'],
h6: ['style', 'class'],
hr: ['style', 'class'],
span: ['style', 'class'],
strong: ['style', 'class'],
b: ['style', 'class'],
i: ['style', 'class'],
h1: [],
h2: [],
h3: [],
h4: [],
h5: [],
h6: [],
hr: [],
span: [],
strong: [],
b: [],
i: [],
br: [],
p: ['style', 'class'],
pre: ['style', 'class'],
code: ['style', 'class'],
a: ['style', 'class', 'target', 'href', 'title'],
img: ['style', 'class', 'src', 'alt', 'title'],
div: ['style', 'class'],
table: ['style', 'class', 'width', 'border'],
tr: ['style', 'class'],
td: ['style', 'class', 'width', 'colspan'],
th: ['style', 'class', 'width', 'colspan'],
tbody: ['style', 'class'],
ul: ['style', 'class'],
li: ['style', 'class'],
ol: ['style', 'class'],
dl: ['style', 'class'],
dt: ['style', 'class'],
em: ['style'],
cite: ['style'],
section:['style', 'class'],
header: ['style', 'class'],
footer: ['style', 'class'],
blockquote: ['style', 'class'],
p: [],
pre: [],
code: [],
a: ['target', 'href', 'title'],
img: ['src', 'alt', 'title'],
div: [],
table: ['width', 'border'],
tr: [],
td: ['width', 'colspan'],
th: ['width', 'colspan'],
tbody: [],
ul: [],
li: [],
ol: [],
dl: [],
dt: [],
em: [],
cite: [],
section:[],
header: [],
footer: [],
blockquote: [],
audio: ['autoplay', 'controls', 'loop', 'preload', 'src'],

@@ -48,0 +48,0 @@ video: ['autoplay', 'controls', 'loop', 'preload', 'src', 'height', 'width'],

2

package.json
{
"name": "xss",
"main": "./lib/index.js",
"version": "0.0.4",
"version": "0.0.5",
"description": "XSS攻击代码过滤 Remove XSS attack vectors from user-supplied HTML",

@@ -6,0 +6,0 @@ "author": "leizongmin <leizongmin@gmail.com> (http://ucdok.com)",

8

README.md

@@ -106,7 +106,7 @@ [![Build Status](https://secure.travis-ci.org/leizongmin/js-xss.png?branch=master)](http://travis-ci.org/leizongmin/js-xss)

在源码目录执行命令:**npm test**
在源码目录执行命令: **npm test**
### 在线测试
在源码目录执行命令:**node lib/cli.js**,可在命令行中输入HTML代码,并看到过滤后的代码
在源码目录执行命令: **node lib/cli.js** ,可在命令行中输入HTML代码,并看到过滤后的代码

@@ -116,5 +116,5 @@

解析速度为**5.81MB/s**,而另外一个**validator**模块的xss()函数速度仅为**2.48MB/s**。
解析速度为 **5.81MB/s** ,而另外一个 **validator** 模块的xss()函数速度仅为 **2.48MB/s** 。
测试代码参考**benchmark**目录
测试代码参考 **benchmark** 目录

@@ -121,0 +121,0 @@

3

test/test_xss.js

@@ -48,3 +48,2 @@ /**

assert.equal(xss('<a href=home>'), '<a href="home">');
assert.equal(xss('<a href=home class="b">'), '<a href="home" class="b">');
assert.equal(xss('<a href=abc("d")>'), '<a href="abc(&quote;d&quote;)">');

@@ -196,3 +195,3 @@ assert.equal(xss('<a href=abc(\'d\')>'), '<a href="abc(\'d\')">');

assert.equal(xss('<a style="url(\'javascript:alert(1)\')">'), '<a style>');
assert.equal(xss('<a style="url(\'javascript:alert(1)\')">', {whiteList: {a: ['style']}}), '<a style>');

@@ -199,0 +198,0 @@ assert.equal(xss('<IMG SRC=\'vbscript:msgbox("XSS")\'>'), '<img src="#">');

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc