search

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
http://jsxss.com
Other
5.19k stars 630 forks source link

Namespaced tags are escaped #199

Closed arildm closed 3 years ago

arildm commented 4 years ago

Tags like <o:p></o:p> get escaped. They should perhaps be filtered away instead?

This particular example comes from copying MS Word-generated HTML. Related: #196

leizongmin commented 4 years ago

This is because tag o:p does not in the default whiteList. If you want to allow this tag, change the whiteList options. Ref: https://github.com/leizongmin/js-xss#whitelist

Alvis-Li commented 4 years ago

@leizongmin whiteList not work for <!--<![endif]-->, because this code will parse as tag ![endif]-- when parser.parseTag

arildm commented 3 years ago

My problem was that the tag was escaped instead of removed. Problem solved by adding onIgnoreTag: () => "" to the config. I should have RTFM :)