search

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
http://jsxss.com
Other
5.21k stars 628 forks source link

Self closing tag is replaced with string '[removed]' #105

Closed alexandre-roitman closed 7 years ago

alexandre-roitman commented 7 years ago

When calling XSS on a self closing tag (ex: meta tag)

var result = xss('', { stripIgnoreTagBody: true });

result will be '[removed]'

Can this issue be handled?

alexandre-roitman commented 7 years ago

@leizongmin can you assist?

leizongmin commented 7 years ago

You can specify a custom onIgnoreTag method to do such things. Refer to https://github.com/leizongmin/js-xss/blob/master/lib/default.js#L315 and https://github.com/leizongmin/js-xss/blob/master/lib/xss.js#L136