Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

增加新的选项 allowCommentTag 来设置是否允许HTML备注标签,默认false

  • Loading branch information...
commit a420d251f163f42f4646a52444c1fa3c420ff042 1 parent 9ce6bc5
@leizongmin authored
Showing with 22 additions and 4 deletions.
  1. +13 −1 lib/default.js
  2. +6 −1 lib/xss.js
  3. +3 −2 test/test_xss.js
View
14 lib/default.js
@@ -338,7 +338,18 @@ function StripTagBody (tags, next) {
return rethtml;
}
};
-};
+}
+
+/**
+ * 去除备注标签
+ *
+ * @param {String} html
+ * @return {String}
+ */
+function stripCommentTag (html) {
+ return html.replace(STRIP_COMMENT_TAG_REGEXP, '');
+}
+var STRIP_COMMENT_TAG_REGEXP = /<!--(.|\s)*?-->/gm;
exports.whiteList = whiteList;
@@ -357,3 +368,4 @@ exports.friendlyAttrValue = friendlyAttrValue;
exports.escapeAttrValue = escapeAttrValue;
exports.onIgnoreTagStripAll = onIgnoreTagStripAll;
exports.StripTagBody = StripTagBody;
+exports.stripCommentTag = stripCommentTag;
View
7 lib/xss.js
@@ -50,7 +50,7 @@ function getAttrs (html) {
*
* @param {Object} options 选项:whiteList, onTag, onTagAttr, onIgnoreTag,
* onIgnoreTagAttr, safeAttrValue, escapeHtml
- * stripIgnoreTagBody
+ * stripIgnoreTagBody, allowCommentTag
*/
function FilterXSS (options) {
options = options || {};
@@ -89,6 +89,11 @@ FilterXSS.prototype.process = function (html) {
var safeAttrValue = options.safeAttrValue;
var escapeHtml = options.escapeHtml
+ // 是否禁止备注标签
+ if (!options.allowCommentTag) {
+ html = DEFAULT.stripCommentTag(html);
+ }
+
// 如果开启了stripIgnoreTagBody
if (options.stripIgnoreTagBody) {
var stripIgnoreTagBody = DEFAULT.StripTagBody(options.stripIgnoreTagBody, onIgnoreTag);
View
5 test/test_xss.js
@@ -163,8 +163,9 @@ describe('test XSS', function () {
// 这个暂时不知道怎么处理
//assert.equal(xss('¼script¾alert(¢XSS¢)¼/script¾'), '');
- assert.equal(xss('<!--[if gte IE 4]><SCRIPT>alert(\'XSS\');</SCRIPT><![endif]-->'),
- '&lt;!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert(\'XSS\');&lt;/SCRIPT&gt;&lt;![endif]--&gt;');
+ assert.equal(xss('<!--[if gte IE 4]><SCRIPT>alert(\'XSS\');</SCRIPT><![endif]--> END', {allowCommentTag: true}),
+ '&lt;!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert(\'XSS\');&lt;/SCRIPT&gt;&lt;![endif]--&gt; END');
+ assert.equal(xss('<!--[if gte IE 4]><SCRIPT>alert(\'XSS\');</SCRIPT><![endif]--> END'), ' END');
// HTML5新增实体编码 冒号&colon; 换行&NewLine;
assert.equal(xss('<a href="javascript&colon;alert(/xss/)">'), '<a href>');
Please sign in to comment.
Something went wrong with that request. Please try again.