Skip to content

Commit 3bf8aaa

Browse files
fix XSS bypass by using prototype pollution issue.
1 parent fe0ebce commit 3bf8aaa

File tree

3 files changed

+41
-3
lines changed

3 files changed

+41
-3
lines changed

Diff for: .eslintrc.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121
"prettier/prettier": ["error"],
2222
"quotes": "off",
2323
"strict": "off",
24-
"prefer-arrow-callback":"off"
24+
"prefer-arrow-callback":"off",
25+
"operator-linebreak": "off"
2526
}
2627
}

Diff for: lib/sanitize.js

+9-2
Original file line numberDiff line numberDiff line change
@@ -4,12 +4,19 @@ const sanitizeHtml = require("sanitize-html");
44

55
const initializeOptions = (options) => {
66
const sanitizerOptions = {};
7-
if (Array.isArray(options.allowedTags) && options.allowedTags.length > 0) {
7+
if (
8+
Object.hasOwn(options, "allowedTags") &&
9+
Array.isArray(options.allowedTags) &&
10+
options.allowedTags.length > 0
11+
) {
812
sanitizerOptions.allowedTags = options.allowedTags;
913
}
1014
return {
1115
allowedKeys:
12-
(Array.isArray(options.allowedKeys) && options.allowedKeys) || [],
16+
(Object.hasOwn(options, "allowedKeys") &&
17+
Array.isArray(options.allowedKeys) &&
18+
options.allowedKeys) ||
19+
[],
1320
sanitizerOptions,
1421
};
1522
};

Diff for: test/test.js

+30
Original file line numberDiff line numberDiff line change
@@ -1222,4 +1222,34 @@ describe("Express xss Sanitize", function () {
12221222
});
12231223
});
12241224
});
1225+
1226+
describe("Sanitize data with custom options as function", function () {
1227+
describe("Sanitize simple object", function () {
1228+
it("should sanitize dirty body.", function (done) {
1229+
expect(sanitize({
1230+
a: "<script>Test</script>",
1231+
b: '<p onclick="return;">Test</p>',
1232+
c: '<img src="/"/>',
1233+
}, { allowedKeys: ["c"] })).to.eql({
1234+
a: "",
1235+
b: "<p>Test</p>",
1236+
c: '<img src="/"/>',
1237+
});
1238+
done();
1239+
});
1240+
});
1241+
1242+
describe("XSS bypass by using prototype pollution issue", function () {
1243+
it("should sanitize dirty data after prototype pollution.", function (done) {
1244+
// eslint-disable-next-line no-extend-native
1245+
Object.prototype.allowedTags = ['script'];
1246+
expect(sanitize({
1247+
a: "<script>Test</script>",
1248+
}, {})).to.eql({
1249+
a: "",
1250+
});
1251+
done();
1252+
});
1253+
});
1254+
});
12251255
});

0 commit comments

Comments
 (0)