From 3e17c34fde5b382c8b91f95672d368a56e8e52f8 Mon Sep 17 00:00:00 2001
From: Dan MacTough <danmactough@gmail.com>
Date: Mon, 16 Sep 2013 22:43:06 -0400
Subject: [PATCH] Change stripUnsafeTags to repeatedly strip up to [max] number
 of times to try to catch maliciously nested tags.

---
 resanitize.js | 37 ++++++++++++++++++++++++-------------
 1 file changed, 24 insertions(+), 13 deletions(-)

diff --git a/resanitize.js b/resanitize.js
index 7ae70e8..ce7ebeb 100644
--- a/resanitize.js
+++ b/resanitize.js
@@ -182,19 +182,30 @@ function stripUnsafeAttrs (str) {
 module.exports.stripUnsafeAttrs = stripUnsafeAttrs;
 
 function stripUnsafeTags (str) {
-  return str.replace(/<form[^>]*?>[\s\S]*?<\/form>/gi, '')
-            .replace(/<input[^>]*?>[\s\S]*?<\/input>/gi, '')
-            .replace(/<\/?(?:form|input|font|blink)[^>]*?>/gi, '')
-            // These are XSS/security risks
-            .replace(/<script[^>]*?>[\s\S]*?<\/script>/gi, '')
-            .replace(/<style[^>]*?>[\s\S]*?<\/style>/gi, '') // shouldn't work anyway...
-            .replace(/<comment[^>]*?>[\s\S]*?<\/comment>/gi, '')
-            .replace(/<plaintext[^>]*?>[\s\S]*?<\/plaintext>/gi, '')
-            .replace(/<xmp[^>]*?>[\s\S]*?<\/xmp>/gi, '')
-            .replace(/<\/?(?:link|listing|meta|body|frame|frameset)[^>]*?>/gi, '')
-            // Delete iframes, except those inserted by Google in lieu of video embeds
-            .replace(/<iframe(?![^>]*?src=("|')\S+?reader.googleusercontent.com\/reader\/embediframe.+?\1)[^>]*?>[\s\S]*?<\/iframe>/gi, '')
-            ;
+  var el = /<(?:form|input|font|blink|script|style|comment|plaintext|xmp|link|listing|meta|body|frame|frameset)\b/;
+  var ct = 0, max = 10;
+
+  // We'll repeatedly try to strip any maliciously nested elements up to [max] times
+  while (el.test(str) && ct++ < max) {
+    str = str.replace(/<form[^>]*?>[\s\S]*?<\/form>/gi, '')
+             .replace(/<input[^>]*?>[\s\S]*?<\/input>/gi, '')
+             .replace(/<\/?(?:form|input|font|blink)[^>]*?>/gi, '')
+             // These are XSS/security risks
+             .replace(/<script[^>]*?>[\s\S]*?<\/script>/gi, '')
+             .replace(/<style[^>]*?>[\s\S]*?<\/style>/gi, '') // shouldn't work anyway...
+             .replace(/<comment[^>]*?>[\s\S]*?<\/comment>/gi, '')
+             .replace(/<plaintext[^>]*?>[\s\S]*?<\/plaintext>/gi, '')
+             .replace(/<xmp[^>]*?>[\s\S]*?<\/xmp>/gi, '')
+             .replace(/<\/?(?:link|listing|meta|body|frame|frameset)[^>]*?>/gi, '')
+             // Delete iframes, except those inserted by Google in lieu of video embeds
+             .replace(/<iframe(?![^>]*?src=("|')\S+?reader.googleusercontent.com\/reader\/embediframe.+?\1)[^>]*?>[\s\S]*?<\/iframe>/gi, '')
+             ;
+  }
+  if (el.test(str)) {
+    // We couldn't safely strip the HTML, so we return an empty string
+    return '';
+  }
+  return str;
 }
 module.exports.stripUnsafeTags = stripUnsafeTags;