moon
/
sync
mirror of https://github.com/calzoneman/sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #315 from calzoneman/xss 

Minor correction to xss.js
This commit is contained in:
Calvin Montgomery 2013-12-05 19:34:01 -08:00
parent 1a44d7ca31 9dc964bd77
commit c00ce26d57
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/xss.js
View File

@ -216,6 +216,13 @@ function sanitizeHTML(str) {
continue; continue;
} }
for (var k in t.attributes) { for (var k in t.attributes) {
// Keys should not contain non-word characters.
var k2 = k.replace(/[^\w]/g, "");
if (k2 !== k) {
t.attributes[k2] = t.attributes[k];
delete t.attributes[k];
k = k2;
}
// If it's an evil attribute, just nuke it entirely // If it's an evil attribute, just nuke it entirely
if (k.match(badAttrs)) { if (k.match(badAttrs)) {
delete t.attributes[k]; delete t.attributes[k];
@ -225,12 +232,6 @@ function sanitizeHTML(str) {
t.attributes[k] = t.attributes[k].replace(badAttrValues, "[removed]"); t.attributes[k] = t.attributes[k].replace(badAttrValues, "[removed]");
} }
// Keys should not contain non-word characters.
var k2 = k.replace(/[^\w]/g, "");
if (k2 !== k) {
t.attributes[k2] = t.attributes[k];
delete t.attributes[k];
}
} }
} }
// Build the sanitized tag // Build the sanitized tag