How can I remove [removed] text from stripIgnoreTagBody: ['script'] option?

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist

http://jsxss.com

Other

5.21k stars 630 forks source link

How can I remove [removed] text from stripIgnoreTagBody: ['script'] option? #244

Open amjadaliup opened 2 years ago

amjadaliup commented 2 years ago

I given stripIgnoreTagBody option as ['script'] and given input is like,


some text..
<script>alert(1);

And got out put as:-


some text..
[removed]alert(1);

I only need output like:-


some text..
alert(1);

how can I remove [removed] text from output. Not:- if I give [removed] in input that will be in output.

Thanks in advance

lumburr commented 2 years ago

@amjadaliup I think what you need to use is the stripIgnoreTag attribute, which you can set like this:

  const source = `some text..<script>alert(1);`;
  const html = filterXSS(source, {
    whiteList: {}, // just make sure that the whiteList does not contain script
    stripIgnoreTag: true, // filter out all HTML not in the whitelist
  });

Or a more violent way

const html = filterXSS(source, {
    onTag: function onTag(tag, html, options) {
      if (tag === 'script') {
        return ''
      }
    }
  })

amjadaliup commented 2 years ago

@lumburr Thank you for your answer. But I need to remove body content of the script tag also. That is not possible with these 2 ways. I'm using stripIgnoreTagBody: ['script'] for that.