diff --git a/bower.json b/bower.json index da21847..00f1ea6 100644 --- a/bower.json +++ b/bower.json @@ -1,6 +1,6 @@ { "name": "xss-filters", - "version": "1.1.1", + "version": "1.1.2", "homepage": "https://github.com/yahoo/xss-filters", "authors": [ "Nera Liu ", @@ -33,6 +33,9 @@ "tests", "artifacts", "*.js", - "jsdoc.conf.json" + "jsdoc.conf.json", + ".travis.yml", + ".gitignore", + "package.json" ] } diff --git a/dist/xss-filters.1.1.2.min.js b/dist/xss-filters.1.1.2.min.js new file mode 100644 index 0000000..4569da9 --- /dev/null +++ b/dist/xss-filters.1.1.2.min.js @@ -0,0 +1,5 @@ +/** + * xss-filters - v1.1.2 + * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. + */ +!function(a,b){function c(a,b,c){return d.yubl(b((c||d.yufull)(a)))}b.xssFilters=a,a._getPrivFilters=function(){var a,b="undefined",c="null",d=/])/g,i=/[&<>"'`]/g,j=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,k=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,l={javascript:1,data:1,vbscript:1,mhtml:1},m=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,n=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|Tab;|NewLine;)/g,o=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,p=String.fromCodePoint||String.fromCharCode;return a={yup:function(a){return a=a.replace(g,"").split(m,2),a.length>=2&&a[0]?a[0].replace(n,function(a,c){return typeof c===b?"":p("X"===c[0]||"x"===c[0]?"0"+c:c)}).replace(o,"").toLowerCase():null},y:function(a){return typeof a===b?b:null===a?c:a.toString().replace(i,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},yd:function(a){return typeof a===b?b:null===a?c:a.toString().replace(d,"<")},yc:function(a){return typeof a===b?b:null===a?c:a.toString().replace(j,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return typeof a===b?b:null===a?c:a.toString().replace(e,""")},yavs:function(a){return typeof a===b?b:null===a?c:a.toString().replace(f,"'")},yavu:function(a){return typeof a===b?b:null===a?c:a.toString().replace(h,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(b){return l[a.yup(b)]?"x-"+b:b},yufull:function(b){return a.yu(b).replace(k,function(a,b){return"//["+b+"]"})}}};var d=a._privFilters=a._getPrivFilters();a.inHTMLData=d.yd,a.inHTMLComment=d.yc,a.inSingleQuotedAttr=d.yavs,a.inDoubleQuotedAttr=d.yavd,a.inUnQuotedAttr=d.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,d.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,d.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,d.yavu)},a.uriInHTMLData=d.yufull,a.uriInHTMLComment=function(a){return d.yc(d.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,d.yavs,d.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,d.yavd,d.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,d.yavu,d.yu)},a.uriPathInHTMLData=d.yu,a.uriPathInHTMLComment=function(a){return d.yc(d.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return d.yavs(d.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return d.yavd(d.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return d.yavu(d.yuc(a))},a.uriComponentInHTMLData=d.yuc,a.uriComponentInHTMLComment=function(a){return d.yc(d.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return d.yubl(d.yavs(d.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return d.yubl(d.yavd(d.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return d.yubl(d.yavu(d.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment}({},function(){return this}()); \ No newline at end of file diff --git a/dist/xss-filters.js b/dist/xss-filters.js index ba0dd45..fd7b0b2 100644 --- a/dist/xss-filters.js +++ b/dist/xss-filters.js @@ -1,5 +1,5 @@ /** - * xss-filters - v1.1.1 + * xss-filters - v1.1.2 * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ -!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"==typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,b.xssFilters=a()}}(function(){return function a(b,c,d){function e(g,h){if(!c[g]){if(!b[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0);if(f)return f(g,!0);var j=new Error("Cannot find module '"+g+"'");throw j.code="MODULE_NOT_FOUND",j}var k=c[g]={exports:{}};b[g][0].call(k.exports,function(a){var c=b[g][1][a];return e(c?c:a)},k,k.exports,a,b,c,d)}return c[g].exports}for(var f="function"==typeof require&&require,g=0;g])/g,i=/[&<>"'`]/g,j=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,k=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,l=["javascript","data","vbscript","mhtml"],m=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,n=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|Tab;|NewLine;)/g,o=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,p=String.fromCodePoint||String.fromCharCode;return a={yup:function(a){return a=a.replace(g,"").split(m,2),a.length>=2&&a[0]?a[0].replace(n,function(a,c){return typeof c===b?"":p("X"===c[0]||"x"===c[0]?"0"+c:c)}).replace(o,"").toLowerCase():null},y:function(a){return typeof a===b?b:null===a?c:a.toString().replace(i,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},yd:function(a){return typeof a===b?b:null===a?c:a.toString().replace(d,"<")},yc:function(a){return typeof a===b?b:null===a?c:a.toString().replace(j,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return typeof a===b?b:null===a?c:a.toString().replace(e,""")},yavs:function(a){return typeof a===b?b:null===a?c:a.toString().replace(f,"'")},yavu:function(a){return typeof a===b?b:null===a?c:a.toString().replace(h,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(b){return-1===l.indexOf(a.yup(b))?b:"x-"+b},yufull:function(b){return a.yu(b).replace(k,function(a,b){return"//["+b+"]"})}}};var e=c._privFilters=c._getPrivFilters();c.inHTMLData=e.yd,c.inHTMLComment=e.yc,c.inSingleQuotedAttr=e.yavs,c.inDoubleQuotedAttr=e.yavd,c.inUnQuotedAttr=e.yavu,c.uriInSingleQuotedAttr=function(a){return d(a,e.yavs)},c.uriInDoubleQuotedAttr=function(a){return d(a,e.yavd)},c.uriInUnQuotedAttr=function(a){return d(a,e.yavu)},c.uriInHTMLData=e.yufull,c.uriInHTMLComment=function(a){return e.yc(e.yufull(a))},c.uriPathInSingleQuotedAttr=function(a){return d(a,e.yavs,e.yu)},c.uriPathInDoubleQuotedAttr=function(a){return d(a,e.yavd,e.yu)},c.uriPathInUnQuotedAttr=function(a){return d(a,e.yavu,e.yu)},c.uriPathInHTMLData=e.yu,c.uriPathInHTMLComment=function(a){return e.yc(e.yu(a))},c.uriQueryInSingleQuotedAttr=c.uriPathInSingleQuotedAttr,c.uriQueryInDoubleQuotedAttr=c.uriPathInDoubleQuotedAttr,c.uriQueryInUnQuotedAttr=c.uriPathInUnQuotedAttr,c.uriQueryInHTMLData=c.uriPathInHTMLData,c.uriQueryInHTMLComment=c.uriPathInHTMLComment,c.uriComponentInSingleQuotedAttr=function(a){return e.yavs(e.yuc(a))},c.uriComponentInDoubleQuotedAttr=function(a){return e.yavd(e.yuc(a))},c.uriComponentInUnQuotedAttr=function(a){return e.yavu(e.yuc(a))},c.uriComponentInHTMLData=e.yuc,c.uriComponentInHTMLComment=function(a){return e.yc(e.yuc(a))},c.uriFragmentInSingleQuotedAttr=function(a){return e.yubl(e.yavs(e.yuc(a)))},c.uriFragmentInDoubleQuotedAttr=function(a){return e.yubl(e.yavd(e.yuc(a)))},c.uriFragmentInUnQuotedAttr=function(a){return e.yubl(e.yavu(e.yuc(a)))},c.uriFragmentInHTMLData=c.uriComponentInHTMLData,c.uriFragmentInHTMLComment=c.uriComponentInHTMLComment},{}]},{},[1])(1)}); \ No newline at end of file +!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"==typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,b.xssFilters=a()}}(function(){return function a(b,c,d){function e(g,h){if(!c[g]){if(!b[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0);if(f)return f(g,!0);var j=new Error("Cannot find module '"+g+"'");throw j.code="MODULE_NOT_FOUND",j}var k=c[g]={exports:{}};b[g][0].call(k.exports,function(a){var c=b[g][1][a];return e(c?c:a)},k,k.exports,a,b,c,d)}return c[g].exports}for(var f="function"==typeof require&&require,g=0;g])/g,i=/[&<>"'`]/g,j=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,k=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,l={javascript:1,data:1,vbscript:1,mhtml:1},m=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,n=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|Tab;|NewLine;)/g,o=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,p=String.fromCodePoint||String.fromCharCode;return a={yup:function(a){return a=a.replace(g,"").split(m,2),a.length>=2&&a[0]?a[0].replace(n,function(a,c){return typeof c===b?"":p("X"===c[0]||"x"===c[0]?"0"+c:c)}).replace(o,"").toLowerCase():null},y:function(a){return typeof a===b?b:null===a?c:a.toString().replace(i,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},yd:function(a){return typeof a===b?b:null===a?c:a.toString().replace(d,"<")},yc:function(a){return typeof a===b?b:null===a?c:a.toString().replace(j,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return typeof a===b?b:null===a?c:a.toString().replace(e,""")},yavs:function(a){return typeof a===b?b:null===a?c:a.toString().replace(f,"'")},yavu:function(a){return typeof a===b?b:null===a?c:a.toString().replace(h,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(b){return l[a.yup(b)]?"x-"+b:b},yufull:function(b){return a.yu(b).replace(k,function(a,b){return"//["+b+"]"})}}};var e=c._privFilters=c._getPrivFilters();c.inHTMLData=e.yd,c.inHTMLComment=e.yc,c.inSingleQuotedAttr=e.yavs,c.inDoubleQuotedAttr=e.yavd,c.inUnQuotedAttr=e.yavu,c.uriInSingleQuotedAttr=function(a){return d(a,e.yavs)},c.uriInDoubleQuotedAttr=function(a){return d(a,e.yavd)},c.uriInUnQuotedAttr=function(a){return d(a,e.yavu)},c.uriInHTMLData=e.yufull,c.uriInHTMLComment=function(a){return e.yc(e.yufull(a))},c.uriPathInSingleQuotedAttr=function(a){return d(a,e.yavs,e.yu)},c.uriPathInDoubleQuotedAttr=function(a){return d(a,e.yavd,e.yu)},c.uriPathInUnQuotedAttr=function(a){return d(a,e.yavu,e.yu)},c.uriPathInHTMLData=e.yu,c.uriPathInHTMLComment=function(a){return e.yc(e.yu(a))},c.uriQueryInSingleQuotedAttr=c.uriPathInSingleQuotedAttr,c.uriQueryInDoubleQuotedAttr=c.uriPathInDoubleQuotedAttr,c.uriQueryInUnQuotedAttr=c.uriPathInUnQuotedAttr,c.uriQueryInHTMLData=c.uriPathInHTMLData,c.uriQueryInHTMLComment=c.uriPathInHTMLComment,c.uriComponentInSingleQuotedAttr=function(a){return e.yavs(e.yuc(a))},c.uriComponentInDoubleQuotedAttr=function(a){return e.yavd(e.yuc(a))},c.uriComponentInUnQuotedAttr=function(a){return e.yavu(e.yuc(a))},c.uriComponentInHTMLData=e.yuc,c.uriComponentInHTMLComment=function(a){return e.yc(e.yuc(a))},c.uriFragmentInSingleQuotedAttr=function(a){return e.yubl(e.yavs(e.yuc(a)))},c.uriFragmentInDoubleQuotedAttr=function(a){return e.yubl(e.yavd(e.yuc(a)))},c.uriFragmentInUnQuotedAttr=function(a){return e.yubl(e.yavu(e.yuc(a)))},c.uriFragmentInHTMLData=c.uriComponentInHTMLData,c.uriFragmentInHTMLComment=c.uriComponentInHTMLComment},{}]},{},[1])(1)}); \ No newline at end of file diff --git a/dist/xss-filters.min.js b/dist/xss-filters.min.js index 3fe6937..4569da9 100644 --- a/dist/xss-filters.min.js +++ b/dist/xss-filters.min.js @@ -1,5 +1,5 @@ /** - * xss-filters - v1.1.1 + * xss-filters - v1.1.2 * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ -!function(a,b){function c(a,b,c){return d.yubl(b((c||d.yufull)(a)))}b.xssFilters=a,a._getPrivFilters=function(){var a,b="undefined",c="null",d=/])/g,i=/[&<>"'`]/g,j=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,k=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,l=["javascript","data","vbscript","mhtml"],m=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,n=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|Tab;|NewLine;)/g,o=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,p=String.fromCodePoint||String.fromCharCode;return a={yup:function(a){return a=a.replace(g,"").split(m,2),a.length>=2&&a[0]?a[0].replace(n,function(a,c){return typeof c===b?"":p("X"===c[0]||"x"===c[0]?"0"+c:c)}).replace(o,"").toLowerCase():null},y:function(a){return typeof a===b?b:null===a?c:a.toString().replace(i,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},yd:function(a){return typeof a===b?b:null===a?c:a.toString().replace(d,"<")},yc:function(a){return typeof a===b?b:null===a?c:a.toString().replace(j,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return typeof a===b?b:null===a?c:a.toString().replace(e,""")},yavs:function(a){return typeof a===b?b:null===a?c:a.toString().replace(f,"'")},yavu:function(a){return typeof a===b?b:null===a?c:a.toString().replace(h,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(b){return-1===l.indexOf(a.yup(b))?b:"x-"+b},yufull:function(b){return a.yu(b).replace(k,function(a,b){return"//["+b+"]"})}}};var d=a._privFilters=a._getPrivFilters();a.inHTMLData=d.yd,a.inHTMLComment=d.yc,a.inSingleQuotedAttr=d.yavs,a.inDoubleQuotedAttr=d.yavd,a.inUnQuotedAttr=d.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,d.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,d.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,d.yavu)},a.uriInHTMLData=d.yufull,a.uriInHTMLComment=function(a){return d.yc(d.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,d.yavs,d.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,d.yavd,d.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,d.yavu,d.yu)},a.uriPathInHTMLData=d.yu,a.uriPathInHTMLComment=function(a){return d.yc(d.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return d.yavs(d.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return d.yavd(d.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return d.yavu(d.yuc(a))},a.uriComponentInHTMLData=d.yuc,a.uriComponentInHTMLComment=function(a){return d.yc(d.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return d.yubl(d.yavs(d.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return d.yubl(d.yavd(d.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return d.yubl(d.yavu(d.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment}({},function(){return this}()); \ No newline at end of file +!function(a,b){function c(a,b,c){return d.yubl(b((c||d.yufull)(a)))}b.xssFilters=a,a._getPrivFilters=function(){var a,b="undefined",c="null",d=/])/g,i=/[&<>"'`]/g,j=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,k=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,l={javascript:1,data:1,vbscript:1,mhtml:1},m=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,n=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|Tab;|NewLine;)/g,o=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,p=String.fromCodePoint||String.fromCharCode;return a={yup:function(a){return a=a.replace(g,"").split(m,2),a.length>=2&&a[0]?a[0].replace(n,function(a,c){return typeof c===b?"":p("X"===c[0]||"x"===c[0]?"0"+c:c)}).replace(o,"").toLowerCase():null},y:function(a){return typeof a===b?b:null===a?c:a.toString().replace(i,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},yd:function(a){return typeof a===b?b:null===a?c:a.toString().replace(d,"<")},yc:function(a){return typeof a===b?b:null===a?c:a.toString().replace(j,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return typeof a===b?b:null===a?c:a.toString().replace(e,""")},yavs:function(a){return typeof a===b?b:null===a?c:a.toString().replace(f,"'")},yavu:function(a){return typeof a===b?b:null===a?c:a.toString().replace(h,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(b){return l[a.yup(b)]?"x-"+b:b},yufull:function(b){return a.yu(b).replace(k,function(a,b){return"//["+b+"]"})}}};var d=a._privFilters=a._getPrivFilters();a.inHTMLData=d.yd,a.inHTMLComment=d.yc,a.inSingleQuotedAttr=d.yavs,a.inDoubleQuotedAttr=d.yavd,a.inUnQuotedAttr=d.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,d.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,d.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,d.yavu)},a.uriInHTMLData=d.yufull,a.uriInHTMLComment=function(a){return d.yc(d.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,d.yavs,d.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,d.yavd,d.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,d.yavu,d.yu)},a.uriPathInHTMLData=d.yu,a.uriPathInHTMLComment=function(a){return d.yc(d.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return d.yavs(d.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return d.yavd(d.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return d.yavu(d.yuc(a))},a.uriComponentInHTMLData=d.yuc,a.uriComponentInHTMLComment=function(a){return d.yc(d.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return d.yubl(d.yavs(d.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return d.yubl(d.yavd(d.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return d.yubl(d.yavu(d.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment}({},function(){return this}()); \ No newline at end of file diff --git a/package.json b/package.json index 3e7d1d1..314311c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "xss-filters", - "version": "1.1.1", + "version": "1.1.2", "licenses": [ { "type": "BSD", diff --git a/src/xss-filters.js b/src/xss-filters.js index 51af0b2..0d1ee4a 100644 --- a/src/xss-filters.js +++ b/src/xss-filters.js @@ -32,7 +32,7 @@ exports._getPrivFilters = function () { // Reference: http://shazzer.co.uk/database/All/Characters-after-javascript-uri // Reference: https://html.spec.whatwg.org/multipage/syntax.html#consume-a-character-reference // Reference for named characters: https://html.spec.whatwg.org/multipage/entities.json - var URI_BLACKLIST_PROTOCOLS = ['javascript', 'data', 'vbscript', 'mhtml'], + var URI_BLACKLIST_PROTOCOLS = {'javascript':1, 'data':1, 'vbscript':1, 'mhtml':1}, URI_PROTOCOL_COLON = /(?::|&#[xX]0*3[aA];?|�*58;?|:)/, URI_PROTOCOL_HTML_ENTITIES = /&(?:#([xX][0-9A-Fa-f]+|\d+);?|Tab;|NewLine;)/g, URI_PROTOCOL_WHITESPACES = /(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g, @@ -187,7 +187,7 @@ exports._getPrivFilters = function () { // Notice that yubl MUST BE APPLIED LAST, and will not be used independently (expected output from encodeURI/encodeURIComponent and yavd/yavs/yavu) // This is used to disable JS execution capabilities by prefixing x- to ^javascript:, ^vbscript: or ^data: that possibly could trigger script execution in URI attribute context yubl: function (s) { - return URI_BLACKLIST_PROTOCOLS.indexOf(x.yup(s)) === -1 ? s : 'x-' + s; + return URI_BLACKLIST_PROTOCOLS[x.yup(s)] ? 'x-' + s : s; }, // This is NOT a security-critical filter.