From 51de741f7b76011d73a9d36874d6e5cfd3334773 Mon Sep 17 00:00:00 2001 From: Tom Anthony Date: Mon, 25 Jan 2021 21:17:00 +0100 Subject: [PATCH] Update handling of quoteStart to prevent sanitization bypass using non-space whitespace. --- lib/parser.js | 2 +- test/test_custom_method.js | 17 ++++++++++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/lib/parser.js b/lib/parser.js index 787c304a..82c6a294 100644 --- a/lib/parser.js +++ b/lib/parser.js @@ -89,7 +89,7 @@ function parseTag(html, onTag, escapeHtml) { var i = 1; var ic = html.charAt(currentPos - i); - while ((ic === " ") || (ic === "=")) { + while ((ic.trim() === "") || (ic === "=")) { if (ic === "=") { quoteStart = c; continue chariterator; diff --git a/test/test_custom_method.js b/test/test_custom_method.js index d92cfeab..56cc492e 100644 --- a/test/test_custom_method.js +++ b/test/test_custom_method.js @@ -360,7 +360,7 @@ describe("test custom XSS method", function() { ); }); - it("#onTag - sanitize html parameter", function() { + it("#onTag - sanitize html parameter space", function() { var source = '">'; var i = 0; var html = xss(source, { @@ -374,4 +374,19 @@ describe("test custom XSS method", function() { debug(html); assert.equal(html, '<script>alert(2)</script>">'); }); + + it("#onTag - sanitize html parameter tab", function() { + var source = '">'; + var i = 0; + var html = xss(source, { + onTag: function(_, E, S) { + if (S.isWhite && "a" === _) { + if (S.isClosing) return ""; + return "".concat(E, ''); + } + } + }); + debug(html); + assert.equal(html, '<script>alert(2)</script>">'); + }); });