search

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
http://jsxss.com
Other
5.2k stars 629 forks source link

Sanitize img / src does not work #163

Closed jochenonline closed 5 years ago

jochenonline commented 5 years ago

I am doing this: 

var xss = require("xss")
var options = {
  whiteList: {
    img: ["src"]
  }
};
console.log(xss('<img src="data:image/gif;base64,R0lGODdhEAAQAMwAAP">', options))

=> "<img src>"

How can I get the string after src?

leizongmin commented 5 years ago

It does not allow the value starts with data: in src attribute by default. See this issue: https://github.com/leizongmin/js-xss/issues/118

You may specify a custom onIgnoreTagAttr function to allow data:* src.