Permalink
Browse files

Fixing slashes

  • Loading branch information...
eoftedal committed Nov 7, 2012
1 parent 402764d commit 55fcc6d1d57c63b35d1bb90d9fcbc83470a7cc5f
Showing with 17 additions and 5 deletions.
  1. +11 −5 lib/helmet.js
  2. +6 −0 test/escaping-test.js
View
@@ -12,7 +12,7 @@ var helmet = {
for (t in tags) {
helmet.detect(d, tags[t]);
}
- augmented = augmented.replace(/"/g, '\\"').replace(/(\r\n|\r|\n)/g, "\\n");
+ augmented = augmented.replace(/\\/g, '\\\\').replace(/"/g, '\\"').replace(/(\r\n|\r|\n)/g, "\\n");
for (t in tags) {
if (!tags[t].func) {
tags[t].func = "unsafe";
@@ -120,10 +120,16 @@ var helmet = {
var ix = attrValue.indexOf(tag.key);
for (var i = 0; i < ix; i++) {
if (attrValue[i] === "'" || attrValue[i] === '"') {
- if (attrValue[i] === inString) {
- inString = false;
- } else if(!inString) {
- inString = attrValue[i];
+ var j = i - 1;
+ while (j >= 0 && attrValue[j] === '\\'){
+ j--;
+ }
+ if (((i - j)%2) === 1) {
+ if (attrValue[i] === inString) {
+ inString = false;
+ } else if(!inString) {
+ inString = attrValue[i];
+ }
}
}
}
View
@@ -91,6 +91,12 @@ describe("Helmet", function() {
var out = compiled.render({ "data" : "a'x" });
expect(out).toEqual("<div><script>var a = /* unsafe-location */</script></div>");
});
+ it("should refuse javascript if inside script-tag", function() {
+ var template = "<div><script>var a = '\\\''<%= data %></script></div>";
+ var compiled = helmet.compile(template);
+ var out = compiled.render({ "data" : "a'x" });
+ expect(out).toEqual("<div><script>var a = '\\\''/* unsafe-location */</script></div>");
+ });
it("should passthrough for <%- %>", function() {

0 comments on commit 55fcc6d

Please sign in to comment.