File tree 3 files changed +41
-3
lines changed
3 files changed +41
-3
lines changed Original file line number Diff line number Diff line change 2121 "prettier/prettier" : [" error" ],
2222 "quotes" : " off" ,
2323 "strict" : " off" ,
24- "prefer-arrow-callback" :" off"
24+ "prefer-arrow-callback" :" off" ,
25+ "operator-linebreak" : " off"
2526 }
2627}
Original file line number Diff line number Diff line change @@ -4,12 +4,19 @@ const sanitizeHtml = require("sanitize-html");
44
55const initializeOptions = ( options ) => {
66 const sanitizerOptions = { } ;
7- if ( Array . isArray ( options . allowedTags ) && options . allowedTags . length > 0 ) {
7+ if (
8+ Object . hasOwn ( options , "allowedTags" ) &&
9+ Array . isArray ( options . allowedTags ) &&
10+ options . allowedTags . length > 0
11+ ) {
812 sanitizerOptions . allowedTags = options . allowedTags ;
913 }
1014 return {
1115 allowedKeys :
12- ( Array . isArray ( options . allowedKeys ) && options . allowedKeys ) || [ ] ,
16+ ( Object . hasOwn ( options , "allowedKeys" ) &&
17+ Array . isArray ( options . allowedKeys ) &&
18+ options . allowedKeys ) ||
19+ [ ] ,
1320 sanitizerOptions,
1421 } ;
1522} ;
Original file line number Diff line number Diff line change @@ -1222,4 +1222,34 @@ describe("Express xss Sanitize", function () {
12221222 } ) ;
12231223 } ) ;
12241224 } ) ;
1225+
1226+ describe ( "Sanitize data with custom options as function" , function ( ) {
1227+ describe ( "Sanitize simple object" , function ( ) {
1228+ it ( "should sanitize dirty body." , function ( done ) {
1229+ expect ( sanitize ( {
1230+ a : "<script>Test</script>" ,
1231+ b : '<p onclick="return;">Test</p>' ,
1232+ c : '<img src="/"/>' ,
1233+ } , { allowedKeys : [ "c" ] } ) ) . to . eql ( {
1234+ a : "" ,
1235+ b : "<p>Test</p>" ,
1236+ c : '<img src="/"/>' ,
1237+ } ) ;
1238+ done ( ) ;
1239+ } ) ;
1240+ } ) ;
1241+
1242+ describe ( "XSS bypass by using prototype pollution issue" , function ( ) {
1243+ it ( "should sanitize dirty data after prototype pollution." , function ( done ) {
1244+ // eslint-disable-next-line no-extend-native
1245+ Object . prototype . allowedTags = [ 'script' ] ;
1246+ expect ( sanitize ( {
1247+ a : "<script>Test</script>" ,
1248+ } , { } ) ) . to . eql ( {
1249+ a : "" ,
1250+ } ) ;
1251+ done ( ) ;
1252+ } ) ;
1253+ } ) ;
1254+ } ) ;
12251255} ) ;
You can’t perform that action at this time.
0 commit comments