Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix XSS bypass by using prototype pollution issue.
  • Loading branch information
AhmedAdelFahim committed Sep 20, 2022
1 parent fe0ebce commit 3bf8aaa
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 3 deletions.
3 changes: 2 additions & 1 deletion .eslintrc.json
Expand Up @@ -21,6 +21,7 @@
"prettier/prettier": ["error"],
"quotes": "off",
"strict": "off",
"prefer-arrow-callback":"off"
"prefer-arrow-callback":"off",
"operator-linebreak": "off"
}
}
11 changes: 9 additions & 2 deletions lib/sanitize.js
Expand Up @@ -4,12 +4,19 @@ const sanitizeHtml = require("sanitize-html");

const initializeOptions = (options) => {
const sanitizerOptions = {};
if (Array.isArray(options.allowedTags) && options.allowedTags.length > 0) {
if (
Object.hasOwn(options, "allowedTags") &&
Array.isArray(options.allowedTags) &&
options.allowedTags.length > 0
) {
sanitizerOptions.allowedTags = options.allowedTags;
}
return {
allowedKeys:
(Array.isArray(options.allowedKeys) && options.allowedKeys) || [],
(Object.hasOwn(options, "allowedKeys") &&
Array.isArray(options.allowedKeys) &&
options.allowedKeys) ||
[],
sanitizerOptions,
};
};
Expand Down
30 changes: 30 additions & 0 deletions test/test.js
Expand Up @@ -1222,4 +1222,34 @@ describe("Express xss Sanitize", function () {
});
});
});

describe("Sanitize data with custom options as function", function () {
describe("Sanitize simple object", function () {
it("should sanitize dirty body.", function (done) {
expect(sanitize({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
}, { allowedKeys: ["c"] })).to.eql({
a: "",
b: "<p>Test</p>",
c: '<img src="/"/>',
});
done();
});
});

describe("XSS bypass by using prototype pollution issue", function () {
it("should sanitize dirty data after prototype pollution.", function (done) {
// eslint-disable-next-line no-extend-native
Object.prototype.allowedTags = ['script'];
expect(sanitize({
a: "<script>Test</script>",
}, {})).to.eql({
a: "",
});
done();
});
});
});
});

0 comments on commit 3bf8aaa

Please sign in to comment.