Fix a few edge cases for XSS

This commit is contained in:
calzoneman 2013-10-31 00:48:01 -05:00
parent 271a23cdad
commit 1c3273978b
2 changed files with 20 additions and 4 deletions

View File

@ -59,7 +59,7 @@ TagParser.prototype.parse = function () {
// Attributes
var attrs = {};
while (this.text[this.i] !== ">") {
while (this.i < this.text.length && this.text[this.i] !== ">") {
var key = this.readLiteralOrString(/[^\s=>]/);
this.skipWhitespace();
if (this.text[this.i] !== "=") {
@ -77,7 +77,10 @@ TagParser.prototype.parse = function () {
}
this.skipWhitespace();
}
if (this.i < this.text.length) {
this.i++;
}
return {
tagName: tname,
@ -153,9 +156,17 @@ function sanitizeHTML(str) {
for (var k in t.attributes) {
if (k.match(badAttrs)) {
delete t.attributes[k];
} else if (t.attributes[k].match(badAttrValues)) {
} else {
if (t.attributes[k].match(badAttrValues)) {
t.attributes[k] = t.attributes[k].replace(badAttrValues, "");
}
var k2 = k.replace(/[^\w]/g, "");
if (k2 !== k) {
t.attributes[k2] = t.attributes[k];
delete t.attributes[k];
}
}
}
var fmt = "<" + t.tagName;
for (var k in t.attributes) {

View File

@ -10,6 +10,11 @@ function basicTest() {
assert(sanitize("<a href='javascript:alert(document.cookie)'>") ===
"<a href=\":()\">");
assert(sanitize("<a ") === "<a>");
assert(sanitize("<img src=\"<a href=\"javascript:void(0)\">>") ===
"<img src=\"<a href=\" javascriptvoid0=\"\">>");
}
basicTest();