Skip to content
This repository has been archived by the owner on Jul 15, 2019. It is now read-only.

Home

Jump to bottom
adon edited this page Jul 28, 2015 · 13 revisions

xss-filters API

For all the examples below, we use {{{ }}} to indicate output expression to ease illustrations

inHTMLComment(s) → {string}

Parameters:
Name Type Description
s string

An untrusted user input
Returns:

All NULL characters in s are first replaced with \uFFFD. If s contains -->, --!>, or starts with -*>, insert a space right before > to stop state breaking at <!--{{{yc s}}}. If s ends with --!, --, or -, append a space to stop collaborative state breaking at {{{yc s}}}>, {{{yc s}}}!>, {{{yc s}}}-!>, {{{yc s}}}->. If s contains ]> or ends with ], append a space after ] is verified in IE to stop IE conditional comments.

Type
string
Example
// output context to be applied by this filter.
<!-- {{{inHTMLComment html_comment}}} -->

inHTMLData(s) → {string}

This filter is to be placed in HTML Data context to encode all '<' characters into '&lt;'

Parameters:
Name Type Description
s string

An untrusted user input
Returns:

The string s with '<' encoded as '&lt;'

Type
string
Example
// output context to be applied by this filter.
<div>{{{inHTMLData htmlData}}}</div>

inDoubleQuotedAttr(s) → {string}

Warning: This is NOT designed for any onX (e.g., onclick) attributes!

Warning: If you're working on URI/components, use the more specific uri___InDoubleQuotedAttr filter

This filter is to be placed in HTML Attribute Value (double-quoted) state to encode all single-quote characters into '&"'
Parameters:
Name Type Description
s string

An untrusted user input
Returns:

The string s with any single-quote characters encoded into '&"'.

Type
string
Example
// output context to be applied by this filter.
<input name="firstname" value="{{{inDoubleQuotedAttr firstname}}}" />

inSingleQuotedAttr(s) → {string}

Warning: This is NOT designed for any onX (e.g., onclick) attributes!

Warning: If you're working on URI/components, use the more specific uri___InSingleQuotedAttr filter

This filter is to be placed in HTML Attribute Value (single-quoted) state to encode all single-quote characters into '&''
Parameters:
Name Type Description
s string

An untrusted user input
Returns:

The string s with any single-quote characters encoded into '&'.

Type
string
Example
// output context to be applied by this filter.
<input name='firstname' value='{{{inSingleQuotedAttr firstname}}}' />

inUnQuotedAttr(s) → {string}

Warning: This is NOT designed for any onX (e.g., onclick) attributes!

Warning: If you're working on URI/components, use the more specific uri___InUnQuotedAttr filter

Regarding \uFFFD injection, given <input id={{{id}}} name="passwd">,
Rationale 1: When id is empty, there remains only one attribute, where id=' name="passwd"' according to the HTML 5 specification. But we believe this is not what the developers expect.
Rationale 2: In IE 6 or up, NULL chars are stripped before parsing.
Rationale 3: Given an empty or null inputs (for IE), the subsequent contexts would be altered as discussed. We thus mitigate this replacing empty and nulls with \uFFFD, so that they won't mess up later contexts.

   Reference: https://html.spec.whatwg.org/multipage/syntax.html#attribute-value-(unquoted)-state</p>
Parameters:
Name Type Description
s string

An untrusted user input
Returns:

If s contains any state breaking chars (\t, \n, \v, \f, \r, space, null, ', ", `, <, >, and =), they are escaped and encoded into their equivalent HTML entity representations. If the string is empty, inject a \uFFFD character.

Type
string
Example
// output context to be applied by this filter.
<input name="firstname" value={{{inUnQuotedAttr firstname}}} />

uriInHTMLComment(s) → {string}

This filter is to be placed in HTML Comment state for an absolute URI.

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded by window.encodeURI(), and finally inHTMLComment()

Type
string
Example
// output context to be applied by this filter.
<!-- {{{uriInHTMLComment full_uri}}} -->

uriInHTMLData(s) → {string}

This filter is to be placed in HTML Data state for an absolute URI.

Notice: The actual implementation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURI().

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded by window.encodeURI() and then inHTMLData()

Type
string
Example
// output context to be applied by this filter.
<a href="/somewhere">{{{uriInHTMLData full_uri}}}</a>

uriInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for an absolute URI.
The correct order of encoders is thus: first window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded first by window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href="{{{uriInDoubleQuotedAttr full_uri}}}">link</a>

uriInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for an absolute URI.
The correct order of encoders is thus: first window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded first by window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href='{{{uriInSingleQuotedAttr full_uri}}}'>link</a>

uriInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for an absolute URI.
The correct order of encoders is thus: first the built-in encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded first by window.encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href={{{uriInUnQuotedAttr full_uri}}}>link</a>

uriPathInHTMLComment(s) → {string}

This filter is to be placed in HTML Comment state for a URI Path/Query or relative URI.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded by window.encodeURI(), and finally inHTMLComment()

Type
string
Example
// output context to be applied by this filter.
<!-- http://example.com/{{{uriPathInHTMLComment uri_path}}} -->
<!-- http://example.com/?{{{uriQueryInHTMLComment uri_query}}} -->

uriPathInHTMLData(s) → {string}

This filter is to be placed in HTML Data state for a URI Path/Query or relative URI.

Notice: The actual implementation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURI().

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded by window.encodeURI() and then inHTMLData()

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/">http://example.com/{{{uriPathInHTMLData uri_path}}}</a>
<a href="http://example.com/">http://example.com/?{{{uriQueryInHTMLData uri_query}}}</a>

uriPathInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded first by window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/{{{uriPathInDoubleQuotedAttr uri_path}}}">link</a>
<a href="http://example.com/?{{{uriQueryInDoubleQuotedAttr uri_query}}}">link</a>

uriPathInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded first by window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href='http://example.com/{{{uriPathInSingleQuotedAttr uri_path}}}'>link</a>
<a href='http://example.com/?{{{uriQueryInSingleQuotedAttr uri_query}}}'>link</a>

uriPathInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first the built-in encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded first by window.encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href=http://example.com/{{{uriPathInUnQuotedAttr uri_path}}}>link</a>
<a href=http://example.com/?{{{uriQueryInUnQuotedAttr uri_query}}}>link</a>

uriQueryInHTMLComment(s) → {string}

This is an alias of uriPathInHTMLComment

uriQueryInHTMLData(s) → {string}

This is an alias of uriPathInHTMLData

uriQueryInDoubleQuotedAttr(s) → {string}

This is an alias of uriPathInDoubleQuotedAttr

uriQueryInSingleQuotedAttr(s) → {string}

This is an alias of uriPathInSingleQuotedAttr

uriQueryInUnQuotedAttr(s) → {string}

This is an alias of uriPathInUnQuotedAttr

uriComponentInHTMLComment(s) → {string}

This filter is to be placed in HTML Comment state for a URI Component.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded by window.encodeURIComponent(), and finally inHTMLComment()

Type
string
Example
// output context to be applied by this filter.
<!-- http://example.com/?q={{{uriComponentInHTMLComment uri_component}}} -->
<!-- http://example.com/#{{{uriComponentInHTMLComment uri_fragment}}} -->

uriComponentInHTMLData(s) → {string}

This filter is to be placed in HTML Data state for a URI Component.

Notice: The actual implementation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURIComponent().

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded by window.encodeURIComponent() and then inHTMLData()

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/">http://example.com/?q={{{uriComponentInHTMLData uri_component}}}</a>
<a href="http://example.com/">http://example.com/#{{{uriComponentInHTMLData uri_fragment}}}</a>

uriComponentInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Component.
The correct order of encoders is thus: first window.encodeURIComponent(), then inDoubleQuotedAttr()

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded first by window.encodeURIComponent(), then inDoubleQuotedAttr()

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/?q={{{uriComponentInDoubleQuotedAttr uri_component}}}">link</a>

uriComponentInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Component.
The correct order of encoders is thus: first window.encodeURIComponent(), then inSingleQuotedAttr()

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded first by window.encodeURIComponent(), then inSingleQuotedAttr()

Type
string
Example
// output context to be applied by this filter.
<a href='http://example.com/?q={{{uriComponentInSingleQuotedAttr uri_component}}}'>link</a>

uriComponentInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Component.
The correct order of encoders is thus: first the built-in encodeURIComponent(), then inUnQuotedAttr()

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded first by window.encodeURIComponent(), then inUnQuotedAttr()

Type
string
Example
// output context to be applied by this filter.
<a href=http://example.com/?q={{{uriComponentInUnQuotedAttr uri_component}}}>link</a>

uriFragmentInHTMLComment(s) → {string}

This is an alias of uriComponentInHTMLComment

uriFragmentInHTMLData(s) → {string}

This is an alias of uriComponentInHTMLData

uriFragmentInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Fragment.
The correct order of encoders is thus: first window.encodeURIComponent(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Fragment
Returns:

The string s encoded first by window.encodeURIComponent(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/#{{{uriFragmentInDoubleQuotedAttr uri_fragment}}}">link</a>

uriFragmentInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Fragment.
The correct order of encoders is thus: first window.encodeURIComponent(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Fragment
Returns:

The string s encoded first by window.encodeURIComponent(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href='http://example.com/#{{{uriFragmentInSingleQuotedAttr uri_fragment}}}'>link</a>

uriFragmentInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Fragment.
The correct order of encoders is thus: first the built-in encodeURIComponent(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Fragment
Returns:

The string s encoded first by window.encodeURIComponent(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href=http://example.com/#{{{uriFragmentInUnQuotedAttr uri_fragment}}}>link</a>

API

Clone this wiki locally