Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'href' tag is getting blanked on parse if there's no protocol #118

Closed
Nfinished opened this issue Nov 16, 2017 · 4 comments
Closed

'href' tag is getting blanked on parse if there's no protocol #118

Nfinished opened this issue Nov 16, 2017 · 4 comments

Comments

@Nfinished
Copy link

When href is whitelisted for anchor tags, I see the following behavior.

<a href="https://www.google.com">google</a>
resolves to
<a href="https://www.google.com">google</a>

but

<a href="www.google.com">google</a>
resolves to
<a href>google</a>

Is this a bug or a feature? My config options are below.

{
  whiteList: {
    a: ['href', 'target'],
    span: ['class']
  }
}
@deyhle
Copy link

deyhle commented Dec 14, 2017

Also, relative href targets starting with ./ seem to be filtered out. Is this really necessary and how can it be configured?

@Nfinished
Copy link
Author

Nfinished commented Dec 19, 2017
edited
Loading

Hey @deyhle, it looks like the functionality for custom attribute filters is actually there, it's just not documented well. The relevant docs can be found here: https://github.com/Nfinished/js-xss#customize-the-handler-function-for-attributes-not-in-the-whitelist

Note that you'll need to make sure the attribute you're filtering for isn't in the whitelist, or your custom function won't fire. I've included my config with custom href filtering below for reference.

return xss(text, {
        whiteList: {
          a: ['target'],
          span: ['class']
        },
        onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
          if (tag == 'a') {
            if (name == 'href') {
              if (value.substr(0, 3) == 'www') return `${name}="http://${value}"`
              else return `${name}="${value}"`
            }
          }
        }
      })

Let me know if you have any questions!

@deyhle
Copy link

deyhle commented Dec 20, 2017

Thank you! It clearly can be fixed with a custom filter function.
However, I still wonder if it is really necessary to disallow relative href targets in the first place. I tried to find out how/why it is done in the code, but thats really difficult because all the comments are not in English. It would be great if the person who decided to filter href targets (probably @leizongmin ) could elaborate on this decision.

@leizongmin
Copy link
Owner

@deyhle the href attribute is filter by default.safeAttrValue function, see here: https://github.com/leizongmin/js-xss/blob/master/lib/default.js#L153

I will translate all the comments to English soon. Thank you for your support.

@leizongmin leizongmin mentioned this issue Apr 21, 2019
Closed
@davidsonsns davidsonsns mentioned this issue Jan 14, 2021
Merged
6 tasks
@leizongmin leizongmin mentioned this issue Jan 18, 2021
Closed
@code-farmer-i code-farmer-i mentioned this issue Jul 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@deyhle @leizongmin @Nfinished