Skip to content

Commit

Permalink
# Added experimetal support for secure jQuery $() usage
Browse files Browse the repository at this point in the history
# Changed the demo accordingly
  • Loading branch information
mario committed Feb 19, 2014
1 parent 8646569 commit 9bbd560
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 48 deletions.
4 changes: 2 additions & 2 deletions demo/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@
<html>
<head>
<meta charset="UTF-8">
<title>DOMPurify 0.0.7.3 "Doing the Math"</title>
<title>DOMPurify 0.0.7.4 "The Little Drummer Boy"</title>
<script src="https://rawgithub.com/cure53/DOMPurify/master/purify.js"></script>
</head>
<body>
<h4>DOMPurify 0.0.7.3 "Doing the Math" (alpha)</h4>
<h4>DOMPurify 0.0.7.4 "The Little Drummer Boy" (alpha)</h4>
<p>
This is the demo for <a href="https://github.com/cure53/DOMPurify">DOMPurify</a>, a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, SVG and MathML.
The textarea below contains sample-payload - you can also add your own. Watch it sanitize on the console or in the Iframe below.
Expand Down
95 changes: 49 additions & 46 deletions purify.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
/* BOF */
;
DOMPurify = {};
DOMPurify.sanitize = function(a){
/******* /***************************************************************
Expand All @@ -10,68 +11,63 @@ DOMPurify.sanitize = function(a){
* /
/* allowed element names */
var ALLOWED_TAGS = [

// HTML
'a','abbr','acronym','address','area','article',
'aside','audio','b','bdi','bdo','big','blink',
'blockquote','body','br','button','canvas','caption',
'center','cite','code','col','colgroup','content','data',
'datalist','dd','decorator','del','details','dfn','dir',
'div','dl','dt','element','em','fieldset',
'figcaption','figure','font','footer','form','h1','h2','h3',
'h4','h5','h6','header','hgroup','hr','html','i',
'img','input','ins','kbd','label','legend','li','main','map',
'mark','marquee','menu','menuitem','meter','nav',
'nobr','ol','optgroup','option','output','p','pre',
'progress','q','rp','rt','ruby','s','samp','section','select',
'shadow','small','source','spacer','span','strike','strong','style',
'sub','summary','sup','table','tbody','td','template','textarea',
'tfoot','th','thead','time','tr','track','tt','u',
'ul','var','video','wbr',
'a','abbr','acronym','address','area','article','aside','audio','b',
'bdi','bdo','big','blink','blockquote','body','br','button','canvas',
'caption','center','cite','code','col','colgroup','content','data',
'datalist','dd','decorator','del','details','dfn','dir','div','dl','dt',
'element','em','fieldset','figcaption','figure','font','footer','form',
'h1','h2','h3','h4','h5','h6','header','hgroup','hr','html','i','img',
'input','ins','kbd','label','legend','li','main','map','mark','marquee',
'menu','menuitem','meter','nav','nobr','ol','optgroup','option','output'
,'p','pre','progress','q','rp','rt','ruby','s','samp','section',
'select','shadow','small','source','spacer','span','strike','strong',
'style','sub','summary','sup','table','tbody','td','template',
'textarea','tfoot','th','thead','time','tr','track','tt','u','ul','var',
'video','wbr',

// SVG
'svg','altglyph','altglyphdef','altglyphitem','animatecolor',
'animatemotion','animatetransform','circle','clippath','defs',
'desc','ellipse','font','g','glyph','glyphref','hkern','image',
'line','lineargradient','marker','mask','metadata',
'mpath','path','pattern','polygon','polyline','radialgradient',
'rect','stop','switch','symbol','text','textpath','title',
'tref','tspan','view','vkern',
'animatemotion','animatetransform','circle','clippath','defs','desc',
'ellipse','font','g','glyph','glyphref','hkern','image','line',
'lineargradient','marker','mask','metadata','mpath','path','pattern',
'polygon','polyline','radialgradient','rect','stop','switch','symbol',
'text','textpath','title','tref','tspan','view','vkern',

//MathML
'math','menclose','merror','mfenced','mfrac','mglyph','mi','mlabeledtr',
'mmuliscripts','mn','mo','mover','mpadded','mphantom','mroot','mrow',
'ms','mpspace','msqrt','mystyle','msub','msup','msubsup','mtable',
'mtd','mtext','mtr','munder','munderover'
'ms','mpspace','msqrt','mystyle','msub','msup','msubsup','mtable','mtd',
'mtext','mtr','munder','munderover'
];

/* decide if custom data attributes are okay */
/* Decide if custom data attributes are okay */
var ALLOW_DATA_ATTRIBUTES = true;

/* allowed attribute names */
/* Output should be safe for jQuery's $() factory? */
var SAFE_FOR_JQUERY = true;

/* Allowed attribute names */
var ALLOWED_ATTR = [

//HTML
'name', 'id','href','action','class','title',
'alt','src', 'type','height','width', 'method','rev','rel',
'accept','align','autocomplete','xmlns',
'bgcolor','border','checked','cite','color','cols',
'colspan','coords','datetime','default','dir',
'disabled','download','enctype','for','headers',
'hidden','high','hreflang','ismap','label','lang',
'list','loop', 'low','max','maxlength','media','min',
'multiple','novalidate','open','optimum','pattern',
'placeholder','poster','preload','pubdate','radiogroup',
'readonly','required','reversed','rows','rowspan',
'spellcheck','scope','selected','shape','size',
'span','srclang','start','step','style','summary',
'tabindex','usemap','value',
'name', 'id','href','action','class','title','alt','src', 'type',
'height','width', 'method','rev','rel','accept','align','autocomplete',
'xmlns','bgcolor','border','checked','cite','color','cols','colspan',
'coords','datetime','default','dir','disabled','download','enctype',
'for','headers','hidden','high','hreflang','ismap','label','lang',
'list','loop', 'low','max','maxlength','media','min','multiple',
'novalidate','open','optimum','pattern','placeholder','poster',
'preload','pubdate','radiogroup','readonly','required','reversed',
'rows','rowspan','spellcheck','scope','selected','shape','size','span',
'srclang','start','step','style','summary','tabindex','usemap','value',

//SVG
'wrap','clip','cx','cy',
'd','dy','dy','in','in2','k1','k2','k3','k4','mask','mode',
'opacity','order','overflow','path','points','radius',
'rx','ry','scale','stroke','stroke-width','transform',
'u1','u2','r','x','y','x1','viewbox',
'x2','y1','y2','z','fill',
'wrap','clip','cx','cy','d','dy','dy','in','in2','k1','k2','k3','k4',
'mask','mode','opacity','order','overflow','path','points','radius',
'rx','ry','scale','stroke','stroke-width','transform','u1','u2','r','x',
'y','x1','viewbox','x2','y1','y2','z','fill',

//MathML
'accent','accentunder','bevelled','close','columnsalign','columnlines',
Expand Down Expand Up @@ -109,6 +105,7 @@ DOMPurify.sanitize = function(a){
var _isClobbered = function(elm){
if((elm.children && !(elm.children instanceof HTMLCollection))
|| typeof elm.nodeName !== 'string'
|| typeof elm.textContent !== 'string'
|| typeof elm.nodeType !== 'number'
|| typeof elm.setAttribute !== 'function'
|| typeof elm.removeAttributeNode !== 'function'
Expand All @@ -124,6 +121,8 @@ DOMPurify.sanitize = function(a){
* @protect removeChild
* @protect nodeType
* @protect nodeName
* @protect children
* @protect textContent
* @protect currentNode
*
* @param node to check for permission to exist
Expand All @@ -136,6 +135,10 @@ DOMPurify.sanitize = function(a){
currentNode.parentNode.removeChild(currentNode);
return true;
}
if(SAFE_FOR_JQUERY && currentNode.children.length === 0){
currentNode.textContent
= currentNode.textContent.replace(/\/+>/g, '>');
}
return false;
}

Expand Down

0 comments on commit 9bbd560

Please sign in to comment.