From 0fe551c2c6fac1277c0b9688263bd61acc52baf8 Mon Sep 17 00:00:00 2001 From: Mike Samuel Date: Fri, 11 Aug 2017 00:14:48 -0400 Subject: [PATCH] Escape text from custom transformTags functions. This makes custom tag transformations less error-prone. Prior to this patch, tag transformations which turned an attribute value into a text node could be vulnerable to code execution. The operative change prevents any Frame's innerText from specifying tag tokens. --- index.js | 2 +- test/test.js | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index 0b62f0d..0fc30bd 100644 --- a/index.js +++ b/index.js @@ -192,7 +192,7 @@ function sanitizeHtml(html, options, _recursing) { } else { result += ">"; if (frame.innerText && !hasText && !options.textFilter) { - result += frame.innerText; + result += escapeHtml(frame.innerText); } } }, diff --git a/test/test.js b/test/test.js index f5c2853..90325d3 100644 --- a/test/test.js +++ b/test/test.js @@ -532,4 +532,28 @@ describe('sanitizeHtml', function() { 'test' ); }); + it('text from transformTags should not specify tags', function() { + var input = ''; + var want = '<script>alert(1)</script>'; + // Runs the sanitizer with a policy that turns an attribute into + // text. A policy like this might be used to turn inputs into + // inline elements that look like the original but which do not + // affect form submissions. + var got = sanitizeHtml( + input, + { + allowedTags: [ 'u' ], + allowedAttributes: { '*': ['class'] }, + transformTags: { + input: function (tagName, attribs) { + return { + tagName: 'u', + attribs: { class: 'inlined-input' }, + text: attribs.value + }; + } + } + }); + assert.equal(got, want); + }); });