GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Looks like there's three problems:
Global leak with out, should be var out = '';
var out = '';
Regexp replace uses $out instead of out.
Regexp is not valid, back references can't be used in character classes.
Perhaps it's intended to be /\s*[a-z\-]+\s*=\s*(\042|\047)(?:(?!\1).*?)\1/gi.
However, that results in the following behavior:
> var s = require('./lib');
'<a \'xss\')">some text</a>'
Oh, I can totally submit a patch if I just get pointed in the right direction in terms of what filter_attributes() was meant to do.
It's a port of CodeIgniter's xss_clean() helper. My preg to RegExp skills weren't great when I ported it ;)
Fix obvious bugs in xss, re #74
Get rid of unnecessary back references and octals, re #74
Thanks for the quick response! It still doesn't look quite right to me: the use of comments seems to have be left over from a previous commit?
Fix filter_attributes again, re #74
Yeah rushed it a bit. I also split out the first regexp in to one for each quote so that the lazy .*? doesn't choke on something like href="alert('foo');". I'll write test cases when I get some time
Looks like this issue is back again, identical to when I reported it. Should I open a new issue or can we reopen this?
Modify the behaviour of filter_attributes, re #74
Ok so I've changed the semantics a bit: if an offending attribute is found the whole thing is removed rather than just the evil pattern that was matched.