search

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
http://jsxss.com
Other
5.19k stars 630 forks source link

HTML comment tags are encoded #230

Closed andrey-skl closed 2 years ago

andrey-skl commented 3 years ago
  1. Run XSS via the following params: filterXSS('<!-- foo -->', {allowCommentTag: true})

Expected output: <!-- foo --> Actual output: &lt;!-- foo --&gt;

Version: xss@1.0.8

ittybittykitty commented 2 years ago

I have this issue too.

expected output: <!--[some comment]--> Actual output: &lt;!--[some comment]--&gt;

Have tried adding this setting: allowCommentTag:true

But that does not solve the issue because the results don't match documentation: xss('<!--[some comment]-->', { allowCommentTag:true })

Documentation expected output: <!--[some comment]--> Actual output: &lt;!--[some comment]--&gt;

Setting allow comments tags to false should remove comment tags: xss('<!--[some comment]-->', { allowCommentTag:false })

Documentation expected output: ` Actual output:`

andrey-skl commented 1 year ago

@leizongmin Hello!

I can see that the fix is actually reverted here https://github.com/leizongmin/js-xss/commit/352ae5331f2057a8e7dd198be703b3375ec98206

Can you please let us know why it is not possible to fix?

Thanks!

leizongmin commented 1 year ago

Hi @andrey-skl This is because the RegExp /(?<!--)>/g will caused SyntaxError: Invalid regular expression: invalid group specifier name on Safari. Here is the related issue: https://github.com/leizongmin/js-xss/issues/259