Permalink
Browse files

Remove the XSS filter.

The xss() function was originally a port of the XSS filter from
CodeIgniter. I added it to the library because there wasn't an
alternative at the time. Unfortunately I don't have the time or
expertise to maintain the XSS filter or keep merging upstream
changes.

If you need one for your app, I suggest looking at Caja sanitisation
engine maintained by Google. (https://code.google.com/p/google-caja/
source/browse/trunk/src/com/google/caja/plugin/html-sanitizer.js)

Closes #123, #138, #181, #206, #210, #221, #223, #226, #227, #231, #232
  • Loading branch information...
chriso committed Oct 31, 2013
1 parent afd1a45 commit 2d5d6999541add350fb396ef02dc42ca3215049e
Showing with 3 additions and 482 deletions.
  1. +0 −5 README.md
  2. +0 −6 lib/filter.js
  3. +0 −228 lib/xss.js
  4. +1 −1 package.json
  5. +0 −33 test/filter.test.js
  6. +1 −1 validator-min.js
  7. +1 −208 validator.js
@@ -34,7 +34,6 @@ var int = sanitize('0123').toInt(); //123
var bool = sanitize('true').toBoolean(); //true
var str = sanitize(' \t\r hello \n').trim(); //'hello'
var str = sanitize('aaaaaaaaab').ltrim('a'); //'b'
var str = sanitize(large_input_str).xss();
var str = sanitize('&lt;a&gt;').entityDecode(); //'<a>'
```
@@ -58,7 +57,6 @@ get('/', function (req, res) {
req.checkHeader('referer').contains('localhost');
//Sanitize user input
req.sanitize('textarea').xss();
req.sanitize('foo').toBoolean();
//etc.
@@ -130,8 +128,6 @@ toBooleanStrict() //False unless str = '1' or 'true'
entityDecode() //Decode HTML entities
entityEncode()
escape() //Escape &, <, >, and "
xss() //Remove common XSS attack vectors from user-supplied HTML
xss(true) //Remove common XSS attack vectors from images
```
## Extending the library
@@ -221,7 +217,6 @@ var errors = validator.getErrors(); // ['Invalid email', 'String is too small']
- [oris](https://github.com/orls) - Added in()
- [mren](https://github.com/mren) - Decoupled rules
- [Thorsten Basse](https://github.com/tbasse) - Cleanup and refinement of existing validators
- [Neal Poole](https://github.com/nealpoole) - Port the latest xss() updates from CodeIgniter
## LICENSE
@@ -1,5 +1,4 @@
var entities = require('./entities');
var xss = require('./xss');
var Filter = exports.Filter = function() {}
@@ -28,11 +27,6 @@ Filter.prototype.convert = Filter.prototype.sanitize = function(str) {
return this;
}
Filter.prototype.xss = function(is_image) {
this.modify(xss.clean(this.str, is_image));
return this.wrap(this.str);
}
Filter.prototype.entityDecode = function() {
this.modify(entities.decode(this.str));
return this.wrap(this.str);

This file was deleted.

Oops, something went wrong.
@@ -2,7 +2,7 @@
"description" : "Data validation, filtering and sanitization for node.js",
"version" : "1.5.1",
"homepage" : "http://github.com/chriso/node-validator",
"keywords" : ["validator", "validation", "assert", "params", "sanitization", "xss", "entities", "sanitize", "sanitisation", "input"],
"keywords" : ["validator", "validation", "assert", "params", "sanitization", "entities", "sanitize", "sanitisation", "input"],
"author" : "Chris O'Hara <cohara87@gmail.com>",
"main" : "./lib",
"directories" : { "lib" : "./lib" },
@@ -132,39 +132,6 @@ module.exports = {
assert.equal('&frac12;', Filter.sanitize('½').entityEncode());
},
'test #xss()': function () {
//Need more tests!
assert.equal('[removed] foobar', Filter.sanitize('javascript : foobar').xss());
assert.equal('[removed] foobar', Filter.sanitize('j a vasc ri pt: foobar').xss());
assert.equal('<a >some text</a>', Filter.sanitize('<a href="javascript:alert(\'xss\')">some text</a>').xss());
assert.equal('<s <> <s >This is a test</s>', Filter.sanitize('<s <onmouseover="alert(1)"> <s onmouseover="alert(1)">This is a test</s>').xss());
assert.equal('<a >">test</a>', Filter.sanitize('<a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a>').xss());
assert.equal('<div ><h1>You have won</h1>Please click the link and enter your login details: <a href="http://example.com/">http://good.com</a></div>', Filter.sanitize('<div style="z-index: 9999999; background-color: green; width: 100%; height: 100%"><h1>You have won</h1>Please click the link and enter your login details: <a href="http://example.com/">http://good.com</a></div>').xss());
assert.equal('<scrRedirec[removed]t 302ipt type="text/javascript">prompt(1);</scrRedirec[removed]t 302ipt>', Filter.sanitize('<scrRedirecRedirect 302t 302ipt type="text/javascript">prompt(1);</scrRedirecRedirect 302t 302ipt>').xss());
assert.equal('<img src="a" ', Filter.sanitize('<img src="a" onerror=\'eval(atob("cHJvbXB0KDEpOw=="))\'').xss());
// Source: http://blog.kotowicz.net/2012/07/codeigniter-210-xssclean-cross-site.html
assert.equal('<img src=">" >', Filter.sanitize('<img/src=">" onerror=alert(1)>').xss());
assert.equal('<button a=">" autofocus ></button>', Filter.sanitize('<button/a=">" autofocus onfocus=alert&#40;1&#40;></button>').xss());
assert.equal('<button a=">" autofocus >', Filter.sanitize('<button a=">" autofocus onfocus=alert&#40;1&#40;>').xss());
assert.equal('<a target="_blank">clickme in firefox</a>', Filter.sanitize('<a target="_blank" href="data:text/html;BASE64youdummy,PHNjcmlwdD5hbGVydCh3aW5kb3cub3BlbmVyLmRvY3VtZW50LmRvY3VtZW50RWxlbWVudC5pbm5lckhUTUwpPC9zY3JpcHQ+">clickme in firefox</a>').xss());
assert.equal('<a/\'\'\' target="_blank" href=[removed]PHNjcmlwdD5hbGVydChvcGVuZXIuZG9jdW1lbnQuYm9keS5pbm5lckhUTUwpPC9zY3JpcHQ+>firefox11</a>', Filter.sanitize('<a/\'\'\' target="_blank" href=data:text/html;;base64,PHNjcmlwdD5hbGVydChvcGVuZXIuZG9jdW1lbnQuYm9keS5pbm5lckhUTUwpPC9zY3JpcHQ+>firefox11</a>').xss());
var url = 'http://www.example.com/test.php?a=b&b=c&c=d';
assert.equal(url, Filter.sanitize(url).xss());
},
'test chaining': function () {
assert.equal('&amp;amp;amp;', Filter.sanitize('&').chain().entityEncode().entityEncode().entityEncode().value());
//Return the default behaviour
Filter.wrap = function (str) {
return str;
}
},
'test #escape': function () {
assert.equal('&amp;&lt;&quot;&gt;', Filter.sanitize('&<">').escape());
}
Oops, something went wrong.

3 comments on commit 2d5d699

@wshaver

This comment has been minimized.

wshaver replied Nov 1, 2013

Wow, talk about a breaking change!

@freewil

This comment has been minimized.

freewil replied Nov 13, 2013

If you need this xss filter then you are doing it wrong. Good grief, glad this was removed.

@wshaver

This comment has been minimized.

wshaver replied Nov 20, 2013

Please sign in to comment.