Open MickL opened 2 months ago
Hey Buddy,
Thanks for reporting this issue. The XSS validator uses the xss js package so it could be the upstream issue. As you suggest, I think there is also an issue in the documentation that dhoukd be fixed.
Can you reproduce? Maybe it is an upstream issue, it doesnt work like this: whiteList: { strong, a: ['href', 'target', 'rel'] }
-> Usage of <strong>
is ok, <a href="#">abc</a>
not.
Maybe because the json arrives like this? <a href=\"#\">abc</a>
Also this xss validation things are very very hard to debug because there is no console log output why a request has been blocked.
Yes, I can reproduce and I think it is related with https://github.com/Baroshem/nuxt-security/issues/206
When I passed this string with yours whitelist xss validation configuration I got:
{ text: '<a href="' }
I think the issue is not related with whitelisting not working but rather with the fact that underlying package escapes the >
character which results in an error for you.
Would you be interested in contributing to the project with a PoC of something that could fix this problem? :)
Unfortunately I dont have the time and probably also the insights :(
Ok, I will take a look at it in the upcoming days to see if I can fix it somehow
How can I whitelist tag attributes in the xss validator? The docs say:
But this would be invalid TypeScript. I guess you meant to use an array?
If yes then it doesnt work for me:
whiteList: { a: ['href', 'target', 'rel'] }
. I can whitelist tags likestrong
but I cant whitelist a tag with attributes. Maybe it is a bug also.