diff --git a/lib/xss.js b/lib/xss.js
index a31e0bed..56398934 100644
--- a/lib/xss.js
+++ b/lib/xss.js
@@ -262,4 +262,20 @@ function sanitizeText(str) {
return str;
}
+function decodeText(str) {
+ str = str.replace(/([0-9]{2,4});?/g, function (m, p1) {
+ return String.fromCharCode(parseInt(p1));
+ });
+ str = str.replace(/([0-9a-f]{2,4});?/ig, function (m, p1) {
+ return String.fromCharCode(parseInt(p1, 16));
+ });
+ str = str.replace(/</g, "<")
+ .replace(/>/g, ">")
+ .replace(/"/g, "\"")
+ .replace(/&/g, "&");
+ return str;
+}
+
module.exports.sanitizeHTML = sanitizeHTML;
+module.exports.sanitizeText = sanitizeText;
+module.exports.decodeText = decodeText;
diff --git a/tests/xss.js b/tests/xss.js
index b6088aea..8361e78e 100644
--- a/tests/xss.js
+++ b/tests/xss.js
@@ -1,21 +1,46 @@
-var sanitize = require('../lib/xss').sanitizeHTML;
+var sanitize = require('../lib/xss');
+var sanitizeHTML = sanitize.sanitizeHTML;
+var sanitizeText = sanitize.sanitizeText;
+var decodeText = sanitize.decodeText;
var assert = require('assert');
+var failed = 0;
-function basicTest() {
- assert(sanitize("< script src = bad.js>blah") ===
- "[tag removed]blah[tag removed]");
-
- assert(sanitize("< img src=asdf onerror='alert(\"xss\")'>") ===
- "");
-
- assert(sanitize("") ===
- "");
-
- assert(sanitize("");
-
- assert(sanitize(">") ===
- ">");
+function doTest(s, src, expected) {
+ try {
+ assert(s(src) === expected);
+ } catch (e) {
+ failed++;
+ console.log("Expected '" + expected + "'");
+ console.log("Got '" + s(src) + "'");
+ }
}
-basicTest();
-console.log("Tests passed.");
+function testSanitizeHTML() {
+ doTest(sanitizeHTML, "< script src = bad.js>blah", "[tag removed]blah[tag removed]");
+
+ doTest(sanitizeHTML, "< img src=asdf onerror='alert(\"xss\")'>", "");
+
+ doTest(sanitizeHTML, "", "");
+
+ doTest(sanitizeHTML, "");
+
+ doTest(sanitizeHTML, ">", ">");
+}
+
+function testSanitizeText() {
+ doTest(sanitizeText, "", "<a href="#" onerror="javascript:alert('xss')">");
+ doTest(sanitizeText, "<>&"ç ", "<>&"ç	");
+}
+
+function testDecode() {
+ doTest(decodeText, "<a href="#" onerror="javascript:alert('xss')">", "");
+ doTest(decodeText, "<>&"ç	", "<>&"ç ");
+}
+
+testSanitizeHTML();
+testSanitizeText();
+testDecode();
+if (!failed)
+ console.log("Tests passed.");
+else
+ console.log(""+failed, "tests failed");