Extra "[removed]" appearing in the output

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist

http://jsxss.com

Other

5.2k stars 629 forks source link

Extra "[removed]" appearing in the output #142

Open steph643 opened 6 years ago

steph643 commented 6 years ago

Consider the following code:

const Xss = require('xss')
console.log(
   Xss('<meta content="text/html"><style>h1 { color:red; }</style>', {
      whiteList: { style: [] },
      stripIgnoreTagBody: true
   })
)

I believe it should output this:

<style>h1 { color:red; }</style>

But instead it displays this:

[removed]<style>h1 { color:red; }</style>

joshgo commented 4 years ago

I'm having this same issue, but actually this is what I see on my end:

Option 1, no options are passed to the filter
Option 2, pass stripIgnoreTagBody: ['script']
Option 3, in addition to option 2 also define an onTag() to clear the string"

Here is the onTag defincitonl

function onTag(tag) {
  if (tag === 'script') {
    return "";
  }
  return undefined;
}

Here are the results:	case	original data	option 1 output	option 2 output	option 3 output
1		\<script\>alert(1)\<script\&gt	alert(1)
2	Githubissues. Githubissues is a development platform for aggregating issues.