xss - npm Package Compare versions

Comparing version 0.0.7 to 0.0.8

build/xss.js

@@ -28,9 +28,10 @@ ;(function(e,t,n,r){function i(r){if(!n[r]){if(!t[r]){if(e)return e(r);throw new Error("Cannot find module '"+r+"'")}var s=n[r]={exports:{}};t[r][0](function(e){var n=t[r][1][e];return i(n?n:e)},s,s.exports)}return n[r].exports}for(var s=0;s<r.length;s++)i(r[s]);return i})(typeof require!=="undefined"&&require,{1:[function(require,module,exports){(function(){/**
   a:      ['target', 'href', 'title'],
-  img:    ['src', 'alt', 'title'],
+  img:    ['src', 'alt', 'title', 'width', 'height'],
   div:    [],
   table:  ['width', 'border'],
-  tr:     [],
+  tr:     ['rowspan'],
   td:     ['width', 'colspan'],
   th:     ['width', 'colspan'],
   tbody:  [],
+  thead:  [],
   ul:     [],
@@ -48,3 +49,3 @@ li:     [],
   audio:  ['autoplay', 'controls', 'loop', 'preload', 'src'],
-  video:  ['autoplay', 'controls', 'loop', 'preload', 'src', 'height', 'width'],
+  video:  ['autoplay', 'controls', 'loop', 'preload', 'src', 'height', 'width']
 };
@@ -125,3 +126,3 @@
 function replaceUnicode (str, code) {
-  return String.fromCharCode(parseInt(code));
+  return String.fromCharCode(parseInt(code,10));
 }
@@ -166,3 +167,3 @@
       return;
-    };
+    }
     name = name.replace(REGEXP_ATTR_NAME, '').toLowerCase();
@@ -177,3 +178,3 @@ if (name.length < 1) return;
         for (var i = 0, len = value.length; i < len; i++) {
-          _value += value.charCodeAt(i) < 32 ? ' ' : value[i];
+          _value += value.charCodeAt(i) < 32 ? ' ' : value.charAt(i);
         }
@@ -191,3 +192,3 @@ value = _value.trim();
   for (var i = 0, len = attrs.length; i < len; i++) {
-    var c = attrs[i];
+    var c = attrs.charAt(i),v;
     if (tmpName === false && c === '=') {
@@ -204,3 +205,3 @@ tmpName = attrs.slice(lastPos, i);
         } else {
-          var v = attrs.slice(lastPos + 1, j).trim();
+          v = attrs.slice(lastPos + 1, j).trim();
           addAttr(tmpName, v);
@@ -215,3 +216,3 @@ tmpName = false;
     if (c === ' ') {
-      var v = attrs.slice(lastPos, i).trim();
+      v = attrs.slice(lastPos, i).trim();
       if (tmpName === false) {
@@ -236,3 +237,3 @@ addAttr(v);
   if (hasSprit) _attrs += '/';
-  
+
   return _attrs.trim();
@@ -252,15 +253,26 @@ };
   var rethtml = '';
+  var tagName;
+  var hasSprit;
   var spos = tag.slice(0, 2) === '</' ? 2 : 1;
-    
+
   var i = tag.indexOf(' ');
   if (i === -1) {
-    var tagName = tag.slice(spos, tag.length - 1).trim();
+    tagName = tag.slice(spos, tag.length - 1).trim();
   } else {
-    var tagName = tag.slice(spos, i + 1).trim();
+    tagName = tag.slice(spos, i + 1).trim();
   }
   tagName = tagName.toLowerCase();
+
+  // 检查标签是否以“/”结尾
+  if (tagName.slice(-1) === '/') {
+    tagName = tagName.slice(0, -1);
+    hasSprit = true;
+  } else {
+    hasSprit = false;
+  }
+
   if (tagName in this.whiteList) {
     // 过滤不合法的属性
     if (i === -1) {
-      rethtml += tag.slice(0, spos) + tagName + '>';
+      rethtml += tag.slice(0, spos) + tagName + (hasSprit ? ' />' : '>');
     } else {
@@ -301,6 +313,7 @@ var attrs = this.filterAttributes(tagName, tag.slice(i + 1, tag.length - 1).trim());
   var currentPos = 0;
+  var len = 0;
 
   // 逐个分析字符
-  for (var currentPos = 0, len = html.length; currentPos < len; currentPos++) {
-    var c = html[currentPos];
+  for (currentPos = 0, len = html.length; currentPos < len; currentPos++) {
+    var c = html.charAt(currentPos);
     if (tagStart === false) {
@@ -355,3 +368,3 @@ if (c === '<') {
   return xss.process(html);
-};
+}
 
@@ -370,2 +383,20 @@ // 默认配置
 if (typeof window !== 'undefined') {
+  if(!Array.indexOf){
+    Array.prototype.indexOf = function(item){
+        for(var i=0;i<this.length;i++){
+            if(this[i] == item) return i;
+        }
+        return -1;
+    };
+  }
+  if(!Array.forEach){
+    Array.prototype.forEach = function(fn){
+       for(var i=0;i<this.length;i++) fn(this[i],i,this);
+    };
+  }
+  if(!String.trim){
+    String.prototype.trim = function(){
+        return this.replace(/(^\s*)|(\s*$)/g,"");
+    };
+  }
   window.filterXSS = module.exports;
@@ -372,0 +403,0 @@ }

lib/index.js

@@ -48,3 +48,3 @@ /**
   audio:  ['autoplay', 'controls', 'loop', 'preload', 'src'],
-  video:  ['autoplay', 'controls', 'loop', 'preload', 'src', 'height', 'width'],
+  video:  ['autoplay', 'controls', 'loop', 'preload', 'src', 'height', 'width']
 };
@@ -125,3 +125,3 @@
 function replaceUnicode (str, code) {
-  return String.fromCharCode(parseInt(code));
+  return String.fromCharCode(parseInt(code,10));
 }
@@ -166,3 +166,3 @@
       return;
-    };
+    }
     name = name.replace(REGEXP_ATTR_NAME, '').toLowerCase();
@@ -177,3 +177,3 @@ if (name.length < 1) return;
         for (var i = 0, len = value.length; i < len; i++) {
-          _value += value.charCodeAt(i) < 32 ? ' ' : value[i];
+          _value += value.charCodeAt(i) < 32 ? ' ' : value.charAt(i);
         }
@@ -191,3 +191,3 @@ value = _value.trim();
   for (var i = 0, len = attrs.length; i < len; i++) {
-    var c = attrs[i];
+    var c = attrs.charAt(i),v;
     if (tmpName === false && c === '=') {
@@ -204,3 +204,3 @@ tmpName = attrs.slice(lastPos, i);
         } else {
-          var v = attrs.slice(lastPos + 1, j).trim();
+          v = attrs.slice(lastPos + 1, j).trim();
           addAttr(tmpName, v);
@@ -215,3 +215,3 @@ tmpName = false;
     if (c === ' ') {
-      var v = attrs.slice(lastPos, i).trim();
+      v = attrs.slice(lastPos, i).trim();
       if (tmpName === false) {
@@ -251,2 +251,4 @@ addAttr(v);
   var rethtml = '';
+  var tagName;
+  var hasSprit;
   var spos = tag.slice(0, 2) === '</' ? 2 : 1;
@@ -256,5 +258,5 @@
   if (i === -1) {
-    var tagName = tag.slice(spos, tag.length - 1).trim();
+    tagName = tag.slice(spos, tag.length - 1).trim();
   } else {
-    var tagName = tag.slice(spos, i + 1).trim();
+    tagName = tag.slice(spos, i + 1).trim();
   }
@@ -266,5 +268,5 @@ tagName = tagName.toLowerCase();
     tagName = tagName.slice(0, -1);
-    var hasSprit = true;
+    hasSprit = true;
   } else {
-    var hasSprit = false;
+    hasSprit = false;
   }
@@ -311,6 +313,7 @@
   var currentPos = 0;
+  var len = 0;
 
   // 逐个分析字符
-  for (var currentPos = 0, len = html.length; currentPos < len; currentPos++) {
-    var c = html[currentPos];
+  for (currentPos = 0, len = html.length; currentPos < len; currentPos++) {
+    var c = html.charAt(currentPos);
     if (tagStart === false) {
@@ -365,3 +368,3 @@ if (c === '<') {
   return xss.process(html);
-};
+}
 
@@ -380,3 +383,21 @@ // 默认配置
 if (typeof window !== 'undefined') {
+  if(!Array.indexOf){
+    Array.prototype.indexOf = function(item){
+        for(var i=0;i<this.length;i++){
+            if(this[i] == item) return i;
+        }
+        return -1;
+    };
+  }
+  if(!Array.forEach){
+    Array.prototype.forEach = function(fn){
+       for(var i=0;i<this.length;i++) fn(this[i],i,this);
+    };
+  }
+  if(!String.trim){
+    String.prototype.trim = function(){
+        return this.replace(/(^\s*)|(\s*$)/g,"");
+    };
+  }
   window.filterXSS = module.exports;
 }

package.json

 {
   "name":           "xss",
   "main":           "./lib/index.js",
-  "version":        "0.0.7",
+  "version":        "0.0.8",
   "description":    "XSS攻击代码过滤 Remove XSS attack vectors from user-supplied HTML",
@@ -6,0 +6,0 @@ "author":         "leizongmin <leizongmin@gmail.com> (http://ucdok.com)",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

149305

increased by0.82%

Lines of code

1049

increased by5.01%

No dependency changes