Merge pull request #315 from calzoneman/xss

Minor correction to xss.js
This commit is contained in:
Calvin Montgomery 2013-12-05 19:34:01 -08:00
commit c00ce26d57
1 changed files with 7 additions and 6 deletions

View File

@ -216,6 +216,13 @@ function sanitizeHTML(str) {
continue;
}
for (var k in t.attributes) {
// Keys should not contain non-word characters.
var k2 = k.replace(/[^\w]/g, "");
if (k2 !== k) {
t.attributes[k2] = t.attributes[k];
delete t.attributes[k];
k = k2;
}
// If it's an evil attribute, just nuke it entirely
if (k.match(badAttrs)) {
delete t.attributes[k];
@ -225,12 +232,6 @@ function sanitizeHTML(str) {
t.attributes[k] = t.attributes[k].replace(badAttrValues, "[removed]");
}
// Keys should not contain non-word characters.
var k2 = k.replace(/[^\w]/g, "");
if (k2 !== k) {
t.attributes[k2] = t.attributes[k];
delete t.attributes[k];
}
}
}
// Build the sanitized tag