Update XSS filter

This commit is contained in:
Calvin Montgomery 2014-06-25 20:22:54 -07:00
parent 9ce02c8e6b
commit 3661ab1fd9
1 changed files with 2 additions and 16 deletions

View File

@ -205,19 +205,6 @@ const badAttrs = new RegExp([
"\\baction"
].join("|"), "i");
/* These are things commonly used in the values of HTML attributes of
XSS injections. Go ahead and strip them, they don't have any other
use besides javascript
*/
const badAttrValues = new RegExp([
"alert",
"document.cookie",
"expression",
"javascript",
"location",
"window"
].join("|"), "ig");
function sanitizeHTML(str) {
var i = str.indexOf("<");
if (i === -1) {
@ -248,9 +235,8 @@ function sanitizeHTML(str) {
if (k.match(badAttrs)) {
delete t.attributes[k];
} else {
if (t.attributes[k].match(badAttrValues)) {
// As above, replacing with a nonempty string is important.
t.attributes[k] = t.attributes[k].replace(badAttrValues, "[removed]");
if (t.attributes[k].replace(/\s/g, "").indexOf("javascript:") !== -1) {
t.attributes[k] = "[removed]";
}
}