It's not a very serious vulnerability, but there's a short list of elements that are whitelisted because they're in Object.prototype:
filterXSS('<constructor>test</constructor>', {whiteList: {}})
// '<constructor>test</constructor>'
filterXSS('<constructor foo>test</constructor>', {whiteList: {}})
// Uncaught TypeError: arr.indexOf is not a function
If, for some very stupid reason, someone set Object.prototype.script to something, this would become a more serious vulnerability.
It's not a very serious vulnerability, but there's a short list of elements that are whitelisted because they're in
Object.prototype
:If, for some very stupid reason, someone set
Object.prototype.script
to something, this would become a more serious vulnerability.https://github.com/leizongmin/js-xss/blob/4761419c4150c2629f3d9ceffbd62e5e0c79d32f/dist/xss.js#L875
tag in whiteList
should be replaced withwhiteList.hasOwnProperty(tag)
.