Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

fix for #86 #89

Merged
merged 1 commit into from

2 participants

@chesles

No description provided.

@chriso
Owner

Thanks

@chriso chriso merged commit 62809e6 into chriso:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jun 18, 2012
  1. @chesles

    Fix for #86, URL mangling

    chesles authored
This page is out of date. Refresh to see the latest.
Showing with 11 additions and 3 deletions.
  1. +8 −3 lib/xss.js
  2. +3 −0  test/filter.test.js
View
11 lib/xss.js
@@ -50,13 +50,18 @@ exports.clean = function(str, is_image) {
str = remove_invisible_characters(str);
//Protect query string variables in URLs => 901119URL5918AMP18930PROTECT8198
- str = str.replace(/\&([a-z\_0-9]+)\=([a-z\_0-9]+)/i, xss_hash() + '$1=$2');
+ var hash;
+ do {
+ // ensure str does not contain hash before inserting it
+ hash = xss_hash();
+ } while(str.indexOf(hash) >= 0)
+ str = str.replace(/\&([a-z\_0-9]+)\=([a-z\_0-9]+)/ig, hash + '$1=$2');
//Validate UTF16 two byte encoding (x00) - just as above, adds a semicolon if missing.
- str = str.replace(/(&\#x?)([0-9A-F]+);?/i, '$1$2;');
+ str = str.replace(/(&\#x?)([0-9A-F]+);?/ig, '$1$2;');
//Un-protect query string variables
- str = str.replace(xss_hash(), '&');
+ str = str.replace(new RegExp(hash, 'g'), '&');
//Decode just in case stuff like this is submitted:
//<a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
View
3  test/filter.test.js
@@ -132,6 +132,9 @@ module.exports = {
//Need more tests!
assert.equal('[removed] foobar', Filter.sanitize('javascript : foobar').xss());
assert.equal('[removed] foobar', Filter.sanitize('j a vasc ri pt: foobar').xss());
+
+ var url = 'http://www.example.com/test.php?a=b&b=c&c=d';
+ assert.equal(url, Filter.sanitize(url).xss());
},
'test chaining': function () {
Something went wrong with that request. Please try again.