search

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
http://jsxss.com
Other
5.16k stars 633 forks source link

whiteList does nothing #247

Open chladnefazole opened 2 years ago

chladnefazole commented 2 years ago

I have whitelist:

    {
        '!doctype': ['html'],
        meta: ['name', 'content', 'charset'],
        html: ['lang'],
        style: [],
        head: [],
        title: [],
        body: ['class'],
        footer: []
    },

But style, head, body, html tags are all being escaped still. table, tr, td, tbody, p, h1, h2 tags are not escaped. Basically, the list does nothing at all.

I am using the library via a CDN and therefore I'm calling the function like so: var cleanHtml = filterXSS(dirtyHtml, sanitizerOptions);

leizongmin commented 2 years ago

Hi, @chladnefazole please try this example code:

var dirtyHtml =
  '<!doctype html><head><meta charset="utf-8" name="xx" content="yy"><title>Test</title><style></style></head><body class="aa"><footer></footer><div></div></body>';
var sanitizerOptions = {
  whiteList: {
    "!doctype": ["html"],
    meta: ["name", "content", "charset"],
    html: ["lang"],
    style: [],
    head: [],
    title: [],
    body: ["class"],
    footer: [],
  },
};
var cleanHtml = filterXSS(dirtyHtml, sanitizerOptions);
console.log(cleanHtml);

we can get the following result:

<!doctype html><head><meta charset="utf-8" name="xx" content="yy"><title>Test</title><style></style></head><body class="aa"><footer></footer>&lt;div&gt;&lt;/div&gt;</body>