Fix a few edge cases for XSS

2013-10-31 00:48:01 -05:00 · 2013-10-31 00:48:01 -05:00 · 1c3273978b
parent 271a23cdad
commit 1c3273978b
2 changed files with 20 additions and 4 deletions
--- a/lib/xss.js
+++ b/lib/xss.js
@ -59,7 +59,7 @@ TagParser.prototype.parse = function () {

    // Attributes
    var attrs = {};
-    while (this.text[this.i] !== ">") {
+    while (this.i < this.text.length && this.text[this.i] !== ">") {
        var key = this.readLiteralOrString(/[^\s=>]/);
        this.skipWhitespace();
        if (this.text[this.i] !== "=") {
@ -77,7 +77,10 @@ TagParser.prototype.parse = function () {
        }
        this.skipWhitespace();
    }
-    this.i++;
+
+    if (this.i < this.text.length) {
+        this.i++;
+    }

    return {
        tagName: tname,
@ -153,8 +156,16 @@ function sanitizeHTML(str) {
        for (var k in t.attributes) {
            if (k.match(badAttrs)) {
                delete t.attributes[k];
-            } else if (t.attributes[k].match(badAttrValues)) {
-                t.attributes[k] = t.attributes[k].replace(badAttrValues, "");
+            } else  {
+                if (t.attributes[k].match(badAttrValues)) {
+                    t.attributes[k] = t.attributes[k].replace(badAttrValues, "");
+                }
+
+                var k2 = k.replace(/[^\w]/g, "");
+                if (k2 !== k) {
+                    t.attributes[k2] = t.attributes[k];
+                    delete t.attributes[k];
+                }
            }
        }
        var fmt = "<" + t.tagName;
--- a/tests/xss.js
+++ b/tests/xss.js
@ -10,6 +10,11 @@ function basicTest() {

    assert(sanitize("<a href='javascript:alert(document.cookie)'>") === 
                    "<a href=\":()\">");
+
+    assert(sanitize("<a ") === "<a>");
+
+    assert(sanitize("<img src=\"<a href=\"javascript:void(0)\">>") ===
+                    "<img src=\"<a href=\" javascriptvoid0=\"\">>");
 }

 basicTest();