search

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
http://jsxss.com
Other
5.16k stars 633 forks source link

Is it possible to preserve case on attributes when filtering XSS? #286

Open ok-martin opened 4 months ago

ok-martin commented 4 months ago

Is there a way to preserve the case of whitelisted attributes when using filterXSS?

Given this code:

const svgText = "<svg id="Art" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 209.621 248.055"></svg>"

const WHITELIST = {
    svg: ['id', 'xmlns', 'viewBox', 'preserveAspectRatio'],
};

const cleanText = filterXSS(svgText, { whiteList: SVG_TAGS_WHITELIST });

cleanText comes back as <svg viewbox="0 0 209.621 248.055"> instead of <svg viewBox="0 0 209.621 248.055">

I cannot run a specific query that will convert viewbox back to viewBox because it is not the only instance that I need. I have more whitelisted fields and mapping all of them is not feasible.