-
Notifications
You must be signed in to change notification settings - Fork 633
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Style attribute on anchor tag throws an exception instead of error #36
Comments
Steps to reproduce:var xss = require('xss')
var html = "<a href='https://foo.bar/' style='color: #0095dd; text-decoration: none;'>Whatever text</a>"
var options = {
whiteList: {
a: ['href', 'style']
},
onTagAttr: function (tag, name, value, isWhiteAttr) {
if (isWhiteAttr && xss.safeAttrValue(tag, name, value) === '') {
console.log('INVALID VALUE FOR ATTRIBUTE <%s %s="%s">', tag, name, value)
return ''
}
}
}
var myxss = new xss.FilterXSS(options)
console.log(myxss.process(html)) Output:
Looks like the error is coming from /lib/default.js:183. |
Potential workaround is to explicitly specify a xss.safeAttrValue(tag, name, value, myxss.cssFilter) Semi-related, we can do CSS attribute filtering by passing a var options = {
whiteList: {
a: ['href', 'style']
},
onTagAttr: function (tag, name, value, isWhiteAttr) {
var attrValue = xss.safeAttrValue(tag, name, value, myxss.cssFilter)
if (isWhiteAttr && value === '') {
console.log('INVALID VALUE FOR ATTRIBUTE <%s %s="%s">', tag, name, value)
return ''
}
},
css: {
whiteList: {
'color': true,
'text-decoration': true
}
}
} This module is awesome! |
So I think the fix for this is to check if var FilterCSS = require('cssfilter').FilterCSS;
...
function safeAttrValue (tag, name, value, cssFilter) {
cssFilter = cssFilter || new FilterCSS();
// 转换为友好的属性值,再做判断
value = friendlyAttrValue(value); |
…ned then use an default cssFilter
@leizongmin Thank you so much!! That was fast! |
Steps to reproduce:
and override the onTagAttr, like so:
run this over a html file with contents:
<a href='' style='color: #0095dd; text-decoration: none;'>Whatever text</a>
Expected Behaviour:
Actual Behaviour:
Warning: Cannot call method 'process' of undefined Use --force to continue.
@pdehaan
The text was updated successfully, but these errors were encountered: