Permalink
Browse files

fix cssFilter, allow pass css=false to disable cssFilter

  • Loading branch information...
1 parent ebd1259 commit 857fa9de67b1fbb04051e88f8a3f16f6162d9a12 @leizongmin committed Nov 6, 2016
Showing with 42 additions and 6 deletions.
  1. +8 −0 README.md
  2. +8 −0 README.zh.md
  3. +6 −3 lib/default.js
  4. +7 −3 lib/xss.js
  5. +13 −0 test/test_custom_method.js
View
@@ -301,6 +301,14 @@ myxss = new xss.FilterXSS({
html = myxss.process('<script>alert("xss");</script>');
```
+If you don't want to filter out the `style` content, just specify `false` to the `css` option:
+
+```javascript
+myxss = new xss.FilterXSS({
+ css: false,
+});
+```
+
For more help, please see https://github.com/leizongmin/js-css-filter
### Quick Start
View
@@ -296,6 +296,14 @@ myxss = new xss.FilterXSS({
html = myxss.process('<script>alert("xss");</script>');
```
+如果不想使用 CSS 过滤器来处理 `style` 属性的内容,可指定 `css` 选项的值为 `false`
+
+```javascript
+myxss = new xss.FilterXSS({
+ css: false,
+});
+```
+
要获取更多的帮助信息可看这里:https://github.com/leizongmin/js-css-filter
### 快捷配置
View
@@ -5,6 +5,7 @@
*/
var FilterCSS = require('cssfilter').FilterCSS;
+var getDefaultCSSWhiteList = require('cssfilter').getDefaultWhiteList;
var _ = require('./util');
// 默认白名单
@@ -146,7 +147,6 @@ function escapeHtml (html) {
* @return {String}
*/
function safeAttrValue (tag, name, value, cssFilter) {
- cssFilter = cssFilter || defaultCSSFilter;
// 转换为友好的属性值,再做判断
value = friendlyAttrValue(value);
@@ -188,7 +188,10 @@ function safeAttrValue (tag, name, value, cssFilter) {
return '';
}
}
- value = cssFilter.process(value);
+ if (cssFilter !== false) {
+ cssFilter = cssFilter || defaultCSSFilter;
+ value = cssFilter.process(value);
+ }
}
// 输出时需要转义<>"
@@ -407,4 +410,4 @@ exports.StripTagBody = StripTagBody;
exports.stripCommentTag = stripCommentTag;
exports.stripBlankChar = stripBlankChar;
exports.cssFilter = defaultCSSFilter;
-
+exports.getDefaultCSSWhiteList = getDefaultCSSWhiteList;
View
@@ -54,7 +54,7 @@ function getAttrs (html) {
* 选项:whiteList, onTag, onTagAttr, onIgnoreTag,
* onIgnoreTagAttr, safeAttrValue, escapeHtml
* stripIgnoreTagBody, allowCommentTag, stripBlankChar
- * css{whiteList, onAttr, onIgnoreAttr}
+ * css{whiteList, onAttr, onIgnoreAttr} css=false表示禁用cssfilter
*/
function FilterXSS (options) {
options = options || {};
@@ -73,10 +73,14 @@ function FilterXSS (options) {
options.onIgnoreTagAttr = options.onIgnoreTagAttr || DEFAULT.onIgnoreTagAttr;
options.safeAttrValue = options.safeAttrValue || DEFAULT.safeAttrValue;
options.escapeHtml = options.escapeHtml || DEFAULT.escapeHtml;
- options.css = options.css || {};
this.options = options;
- this.cssFilter = new FilterCSS(options.css);
+ if (options.css === false) {
+ this.cssFilter = false;
+ } else {
+ options.css = options.css || {};
+ this.cssFilter = new FilterCSS(options.css);
+ }
}
/**
@@ -323,4 +323,17 @@ describe('test custom XSS method', function () {
assert.equal(html, 'ooxx');
});
+ it('cssFilter', function () {
+ var whiteList = xss.getDefaultWhiteList();
+ whiteList.div.push('style');
+ assert.equal(xss('<div style="width: 50%; vertical-align: top;">hello</div>', { whiteList: whiteList }),
+ '<div style="width:50%;">hello</div>');
+ assert.equal(xss('<div style="width: 50%; vertical-align: top;">hello</div>', { whiteList: whiteList, css: false }),
+ '<div style="width: 50%; vertical-align: top;">hello</div>');
+ var css = { whiteList: xss.getDefaultCSSWhiteList() };
+ css.whiteList['vertical-align'] = true;
+ assert.equal(xss('<div style="width: 50%; vertical-align: top;">hello</div>', { whiteList: whiteList, css: css }),
+ '<div style="width:50%; vertical-align:top;">hello</div>');
+ });
+
});

0 comments on commit 857fa9d

Please sign in to comment.