search

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
http://jsxss.com
Other
5.19k stars 630 forks source link

How to check input string is vulnerable #215

Open sozakir opened 3 years ago

sozakir commented 3 years ago

Hi, I am using js-xss library in my project. I want to check whether a input string is vulnerable using the js-xss library. How can we check whether string would be vulnerable before sanitizing it.

I am checking the input and output string if they are equal then string is not vulnerable otherwise vulnerable.

public static isVulnerable(input: string): boolean {
    input = input.trim();
    const sanitizedString = xss(input, {
        stripIgnoreTag : true,
        stripIgnoreTagBody : ['script'],
        whiteList: {}
    });
    return input !== sanitizedString;
  }

Is there any function in the library which can check whether string is vulnerable.?

because current function fails for this string test < test and return test &lt; test which says it is vulnerable but it is not i guess

leizongmin commented 3 years ago

The main function of this module is to filter out illegal HTML code based on a whitelist. If the input contains non-whitelist tags means it is vulnerable, then you can try to setup onIgnoreTag options like this:

var source = '<div a="1" b="2" data-a="3" data-b="4">hello</div>';
var isVulnerable = false;
var html = xss(source, {
  onIgnoreTag: function (tag, html, options)
    isVulnerable = true;
  }
});