删除全部标签时出错

LeoEatle commented 5 years ago

文档指示如果想删除所有标签，需要这么做

var source = "<strong>hello</strong><script>alert(/xss/);</script>end";
var html = xss(source, {
  whiteList: [], // 白名单为空，表示过滤所有标签
  stripIgnoreTag: true, // 过滤所有非白名单标签的HTML
  stripIgnoreTagBody: ["script"] // script标签较特殊，需要过滤标签中间的内容
});

console.log("text: %s", html);

但是这样会导致<map>标签被识别为whitelist中，因为whitelist是个数组，导致map in whitelist === true，数组具有map方法。

可以采用whiteList: {}来避免这个错误

Kolobok12309 commented 4 years ago

Now valid tag is <constructor>:)

In liveDemo exactly

LeoEatle commented 4 years ago

isWhite: whiteList.hasOwnProperty(tag)

This line shows the problem. So we can just use whiteList: {} to replace it.

Kolobok12309 commented 3 years ago

Fixed in ce8fd4244260a5f3e9dafe4e2586f206fb9bcd80

leizongmin / js-xss

删除全部标签时出错 #156