Regular expressions aren’t the right way

[charmander]

A blacklist is also not the right way.

<a href="&amp;#106;avascript:&amp;#100;ocument.wr&amp;#105;te('\x3c\x73\x63\x72\x69\x70\x74\x3e\x61\x6c\x65\x72\x74\x28\x34\x32\x29\x3b\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e');&amp;#100;ocument.close();">Hello</a>

[chriso]

The xss() function is a port of the same function from CodeIgniter. I ported it across because there wasn't another solution for node.js at the time. A whitelist which doesn't resort to regex would be better than the current blacklist, you're right. Pull requests that improve the filter are always welcome.

FYI your example doesn't pass through the filter

<a>alert&#40;42&#41;;[removed]');&#100;ocument.close();">Hello</a>

[charmander]

Well, I seem to be using the latest version (1.5.1), and here’s the result:

$ node
> var validator = require("./");
> var input = '<a href="&amp;#106;avascript:&amp;#100;ocument.wr&amp;#105;te(\'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3e\\x61\\x6c\\x65\\x72\\x74\\x28\\x34\\x32\\x29\\x3b\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e\');&amp;#100;ocument.close();">Hello</a>';
> var output = validator.sanitize(input).xss();
> console.log(output);
<a href="&#106;avascript:&#100;ocument.wr&#105;te('\x3c\x73\x63\x72\x69\x70\x74\x3e\x61\x6c\x65\x72\x74\x28\x34\x32\x29\x3b\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e');&#100;ocument.close();">Hello</a>

If you’d like a pull request that uses an HTML parser of some sort, by the way, I would be very happy to do that. Thanks.

[chriso]

Ah, you're right. I wasn't escaping the backslashes inside the write().

I'd gladly accept a PR. The library is due for a major (api-breaking) update and cleanup soon so maybe it's best to wait for that.

[funseiki]

What about combining with Google's Caja sanitation engine? Here's a quick snippet comparing validator and a node port of Caja called sanitizer.

var validator = require('validator'),
    sanitizer = require('sanitizer');
var input = '<a href="&amp;#106;avascript:&amp;#100;ocument.wr&amp;#105;te(\'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3e\\x61\\x6c\\x65\\x72\\x74\\x28\\x34\\x32\\x29\\x3b\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e\');&amp;#100;ocument.close();">Hello</a>';

var outVal = validator.sanitize(input).xss();
var outSan = sanitizer.sanitize(input);

console.log("Validator Output:\n", outVal);

console.log("Sanitizer Output:\n", outSan);

Validator Output:

 <a href="&#106;avascript:&#100;ocument.wr&#105;te('\x3c\x73\x63\x72\x69\x70\x74
\x3e\x61\x6c\x65\x72\x74\x28\x34\x32\x29\x3b\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e
');&#100;ocument.close();">Hello</a>

Sanitizer Output:

 <a>Hello</a>

[charmander]

Just tell people to use that instead; separate is better.

[chriso]

Looks like Caja is written in Java

[chriso]

The node port comes with the following warning

It’s use this at your own risk really - Caja HTML Sanitizer was written by people far cleverer than me. I have just repackaged it to solve a problem I had (sanitization on a Node server). It seems to work, and it passes all its tests in re-packaged form - however I don’t fully understand its internals so cannot guarantee its security.

I'll probably just remove xss() in the next version.

[funseiki]

Here's an SO post regarding (somewhat) its efficacy. There's a javascript port (Google written by the looks of it) that the post links to. It's apparently white-list based and configurable. I've just been using it out-of-the-box.