search

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
http://jsxss.com
Other
5.2k stars 630 forks source link

Elements in Object.prototype are whitelisted #120

Closed twiss closed 6 years ago

twiss commented 6 years ago

It's not a very serious vulnerability, but there's a short list of elements that are whitelisted because they're in Object.prototype:

filterXSS('<constructor>test</constructor>', {whiteList: {}})
// '<constructor>test</constructor>'

filterXSS('<constructor foo>test</constructor>', {whiteList: {}})
// Uncaught TypeError: arr.indexOf is not a function

If, for some very stupid reason, someone set Object.prototype.script to something, this would become a more serious vulnerability.

https://github.com/leizongmin/js-xss/blob/4761419c4150c2629f3d9ceffbd62e5e0c79d32f/dist/xss.js#L875 tag in whiteList should be replaced with whiteList.hasOwnProperty(tag).

leizongmin commented 6 years ago

fixed this issue in xss@0.3.6, thanks.