Closed andrey-skl closed 2 years ago
I have this issue too.
expected output: <!--[some comment]-->
Actual output: <!--[some comment]-->
Have tried adding this setting:
allowCommentTag:true
But that does not solve the issue because the results don't match documentation:
xss('<!--[some comment]-->', { allowCommentTag:true })
Documentation expected output: <!--[some comment]-->
Actual output: <!--[some comment]-->
Setting allow comments tags to false should remove comment tags:
xss('<!--[some comment]-->', { allowCommentTag:false })
Documentation expected output: ` Actual output:
`
@leizongmin Hello!
I can see that the fix is actually reverted here https://github.com/leizongmin/js-xss/commit/352ae5331f2057a8e7dd198be703b3375ec98206
Can you please let us know why it is not possible to fix?
Thanks!
Hi @andrey-skl
This is because the RegExp /(?<!--)>/g
will caused SyntaxError: Invalid regular expression: invalid group specifier name
on Safari.
Here is the related issue: https://github.com/leizongmin/js-xss/issues/259
filterXSS('<!-- foo -->', {allowCommentTag: true})
Expected output:
<!-- foo -->
Actual output:<!-- foo -->
Version:
xss@1.0.8