Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Some more fixes

  • Loading branch information...
commit b6ad038e9e2c71610a5f03dcc496a457890c232e 1 parent 545bab7
@eoftedal authored
Showing with 15 additions and 3 deletions.
  1. +9 −3 lib/helmet.js
  2. +6 −0 test/escaping-test.js
View
12 lib/helmet.js
@@ -18,7 +18,7 @@ var helmet = {
for (t in tags) {
if (!tags[t].func) {
tags[t].func = "unsafe";
- console.log("Unsafe location: " + tags[t].group);
+ console.log("Unsafe location: " + tags[t].content);
}
augmented = augmented.replace(new RegExp(tags[t].key, "g"), '" + helmet.' + tags[t].func + '(' + tags[t].content + ') + "' );
}
@@ -43,7 +43,7 @@ var helmet = {
if (node.nodeValue.indexOf(tag.key) > -1) {
if (helmet.isScriptTag(node.nodeName) || helmet.isScriptTag(node.parentNode.nodeName)) {
tag.func = helmet.checkJS(node.nodeValue, tag);
- } else if (helmet.isStyle(node.nodeName) || helmet.isStyle(node.parentNode.nodeName)) {
+ } else if (helmet.isUnsafeTagContent(node.nodeName) || helmet.isUnsafeTagContent(node.parentNode.nodeName)) {
tag.func = null; //unsafe
} else {
tag.func = "escapeHtml";
@@ -57,7 +57,7 @@ var helmet = {
if (attr.nodeValue.indexOf(tag.key) > -1) {
if (helmet.isUri(attr.nodeName)) {
tag.func = "escapeUri";
- } else if (helmet.isStyle(attr.nodeName)) {
+ } else if (helmet.isUnsafeAttribute(attr.nodeName)) {
tag.func = null; //unsafe
} else if (helmet.isEventHandler(attr.nodeName)) {
tag.func = helmet.checkJS(attr.nodeValue, tag);
@@ -128,6 +128,12 @@ var helmet = {
"isUri": function(name) {
return (/(href|src|formaction|action)/i).test(name);
},
+ "isUnsafeTagContent": function(name) {
+ return helmet.isStyle(name) || (/iframe/i).test(name);
+ },
+ "isUnsafeAttribute": function(name) {
+ return helmet.isStyle(name) || (/srcdoc/i).test(name);
+ },
"isStyle": function(name) {
return (/style/i).test(name);
},
View
6 test/escaping-test.js
@@ -128,6 +128,12 @@ describe("Helmet", function() {
var out = compiled.render({ "data" : "a" });
expect(out).toEqual("<unsafe-location>");
});
+ it("should refuse escaped output in iframe", function() {
+ var template = "<iframe><<%= data %>>";
+ var compiled = helmet.compile(template);
+ var out = compiled.render({ "data" : "a" });
+ expect(out).toEqual("<iframe><unsafe-location>");
+ });
it("should passthrough for <%- %>", function() {
Please sign in to comment.
Something went wrong with that request. Please try again.