diff --git a/bower.json b/bower.json index 6b92a69..0126731 100644 --- a/bower.json +++ b/bower.json @@ -1,6 +1,6 @@ { "name": "xss-filters", - "version": "1.2.2", + "version": "1.2.3", "homepage": "https://github.com/yahoo/xss-filters", "authors": [ "Nera Liu ", diff --git a/dist/xss-filters.1.2.3.min.js b/dist/xss-filters.1.2.3.min.js new file mode 100644 index 0000000..7d31f1e --- /dev/null +++ b/dist/xss-filters.1.2.3.min.js @@ -0,0 +1,5 @@ +/** + * xss-filters - v1.2.3 + * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. + */ +!function(a,b){function c(a,b,c){return d.yubl(b((c||d.yufull)(a)))}b.xssFilters=a,a._getPrivFilters=function(){function a(a){return a=a.split(x,2),2===a.length&&a[0]?a[0]:null}function b(a,b){return"undefined"==typeof a?"undefined":null===a?"null":b.apply(a.toString(),[].splice.call(arguments,2))}function c(a,c,d,e,f){c=c||q,d=d||p;var h,i=[].splice.call(arguments,4);return b(a,function(){return h=this.replace(l,"�").replace(d,function(a,b,d,e){return b?(b=Number(b[0]<="9"?b:"0"+b),f?B(b):128===b?"€":130===b?"‚":131===b?"ƒ":132===b?"„":133===b?"…":134===b?"†":135===b?"‡":136===b?"ˆ":137===b?"‰":138===b?"Š":139===b?"‹":140===b?"Œ":142===b?"Ž":145===b?"‘":146===b?"’":147===b?"“":148===b?"”":149===b?"•":150===b?"–":151===b?"—":152===b?"˜":153===b?"™":154===b?"š":155===b?"›":156===b?"œ":158===b?"ž":159===b?"Ÿ":b>=55296&&57343>=b||13===b?"�":g.frCoPt(b)):c[d||e]||a}),e?e.apply(h,i):h})}function d(a){return"\\"+a.charCodeAt(0).toString(16).toLowerCase()+" "}function e(a,b){return c(a,null,null,function(){return this.replace(b,d)})}function f(b,e){return c(b,null,null,function(){var b=g.yufull(this),c=a(b);return b=c&&w[c.toLowerCase()]?"##"+b:b,e?b.replace(e,d):b})}var g,h=/])/g,n=/[&<>"'`]/g,o=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,p=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|(Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast|ensp|emsp|thinsp);|(nbsp|amp|AMP|lt|LT|gt|GT|quot|QUOT);?)/g,q={Tab:" ",NewLine:"\n",colon:":",semi:";",lpar:"(",rpar:")",apos:"'",sol:"/",comma:",",excl:"!",ast:"*",midast:"*",ensp:" ",emsp:" ",thinsp:" ",nbsp:" ",amp:"&",lt:"<",gt:">",quot:'"',QUOT:'"'},r=/[^%#+\-\w\.]/g,s=/[\x01-\x1F\x7F\\"]/g,t=/[\x01-\x1F\x7F\\']/g,u=/['\(\)]/g,v=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,w={javascript:1,data:1,vbscript:1,mhtml:1},x=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,y=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,z={Tab:" ",NewLine:"\n"},A=String.prototype.replace,B=String.fromCodePoint||function(a){return 0===arguments.length?"":65535>=a?String.fromCharCode(a):(a-=65536,String.fromCharCode((a>>10)+55296,a%1024+56320))};return g={frCoPt:function(a){return void 0===a||null===a?"":!isFinite(a=Number(a))||0>=a||a>1114111||a>=1&&8>=a||a>=14&&31>=a||a>=127&&159>=a||a>=64976&&65007>=a||11===a||65535===(65535&a)||65534===(65535&a)?"�":B(a)},d:c,yup:function(b){return b=a(b.replace(l,"")),b?c(b,z,null,function(){return this.replace(y,"").toLowerCase()},!0):null},y:function(a){return b(a,A,n,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},ya:function(a){return b(a,A,k,"&")},yd:function(a){return b(a,A,h,"<")},yc:function(a){return b(a,A,o,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return b(a,A,i,""")},yavs:function(a){return b(a,A,j,"'")},yavu:function(a){return b(a,A,m,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":"="===a?"=":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return w[g.yup(a)]?"x-"+a:a},yufull:function(a){return g.yu(a).replace(v,function(a,b){return"//["+b+"]"})},yublf:function(a){return g.yubl(g.yufull(a))},yceu:function(a){return e(a,r)},yced:function(a){return e(a,s)},yces:function(a){return e(a,t)},yceuu:function(a){return f(a,u)},yceud:function(a){return f(a)},yceus:function(a){return f(a,j)}}};var d=a._privFilters=a._getPrivFilters();a.inHTMLData=d.yd,a.inHTMLComment=d.yc,a.inSingleQuotedAttr=d.yavs,a.inDoubleQuotedAttr=d.yavd,a.inUnQuotedAttr=d.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,d.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,d.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,d.yavu)},a.uriInHTMLData=d.yufull,a.uriInHTMLComment=function(a){return d.yc(d.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,d.yavs,d.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,d.yavd,d.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,d.yavu,d.yu)},a.uriPathInHTMLData=d.yu,a.uriPathInHTMLComment=function(a){return d.yc(d.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return d.yavs(d.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return d.yavd(d.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return d.yavu(d.yuc(a))},a.uriComponentInHTMLData=d.yuc,a.uriComponentInHTMLComment=function(a){return d.yc(d.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return d.yubl(d.yavs(d.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return d.yubl(d.yavd(d.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return d.yubl(d.yavu(d.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment}({},function(){return this}()); \ No newline at end of file diff --git a/dist/xss-filters.js b/dist/xss-filters.js index 977a8de..b726a56 100644 --- a/dist/xss-filters.js +++ b/dist/xss-filters.js @@ -1,5 +1,5 @@ /** - * xss-filters - v1.2.2 + * xss-filters - v1.2.3 * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ -!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"==typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,b.xssFilters=a()}}(function(){return function a(b,c,d){function e(g,h){if(!c[g]){if(!b[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0);if(f)return f(g,!0);var j=new Error("Cannot find module '"+g+"'");throw j.code="MODULE_NOT_FOUND",j}var k=c[g]={exports:{}};b[g][0].call(k.exports,function(a){var c=b[g][1][a];return e(c?c:a)},k,k.exports,a,b,c,d)}return c[g].exports}for(var f="function"==typeof require&&require,g=0;g=55296&&57343>=b||13===b?"�":g.frCoPt(b)):c[d||e]||a}),e?e.apply(f,h):f})}function d(a){return"\\"+a.charCodeAt(0).toString(16).toLowerCase()+" "}function e(a,b){return c(a,null,null,function(){return this.replace(b,d)})}function f(b,e){return c(b,null,null,function(){var b=g.yufull(this),c=a(b);return b=c&&w[c.toLowerCase()]?"##"+b:b,e?b.replace(e,d):b})}var g,h=/])/g,n=/[&<>"'`]/g,o=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,p=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|(Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast|ensp|emsp|thinsp);|(nbsp|amp|AMP|lt|LT|gt|GT|quot|QUOT);?)/g,q={Tab:" ",NewLine:"\n",colon:":",semi:";",lpar:"(",rpar:")",apos:"'",sol:"/",comma:",",excl:"!",ast:"*",midast:"*",ensp:" ",emsp:" ",thinsp:" ",nbsp:" ",amp:"&",lt:"<",gt:">",quot:'"',QUOT:'"'},r=/[^%#+\-\w\.]/g,s=/[\x01-\x1F\x7F\\"]/g,t=/[\x01-\x1F\x7F\\']/g,u=/['\(\)]/g,v=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,w={javascript:1,data:1,vbscript:1,mhtml:1},x=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,y=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,z={Tab:" ",NewLine:"\n"},A=String.prototype.replace,B=String.fromCodePoint||function(a){return 0===arguments.length?"":65535>=a?String.fromCharCode(a):(a-=65536,String.fromCharCode((a>>10)+55296,a%1024+56320))};return g={frCoPt:function(a){return void 0===a||null===a?"":!isFinite(a=Number(a))||0>=a||a>1114111||a>=1&&8>=a||a>=14&&31>=a||a>=127&&159>=a||a>=64976&&65007>=a||11===a||65535===(65535&a)||65534===(65535&a)?"�":B(a)},d:c,yup:function(b){return b=a(b.replace(l,"")),b?c(b,z,null,function(){return this.replace(y,"").toLowerCase()}):null},y:function(a){return b(a,A,n,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},ya:function(a){return b(a,A,k,"&")},yd:function(a){return b(a,A,h,"<")},yc:function(a){return b(a,A,o,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return b(a,A,i,""")},yavs:function(a){return b(a,A,j,"'")},yavu:function(a){return b(a,A,m,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return w[g.yup(a)]?"x-"+a:a},yufull:function(a){return g.yu(a).replace(v,function(a,b){return"//["+b+"]"})},yublf:function(a){return g.yubl(g.yufull(a))},yceu:function(a){return e(a,r)},yced:function(a){return e(a,s)},yces:function(a){return e(a,t)},yceuu:function(a){return f(a,u)},yceud:function(a){return f(a)},yceus:function(a){return f(a,j)}}};var e=c._privFilters=c._getPrivFilters();c.inHTMLData=e.yd,c.inHTMLComment=e.yc,c.inSingleQuotedAttr=e.yavs,c.inDoubleQuotedAttr=e.yavd,c.inUnQuotedAttr=e.yavu,c.uriInSingleQuotedAttr=function(a){return d(a,e.yavs)},c.uriInDoubleQuotedAttr=function(a){return d(a,e.yavd)},c.uriInUnQuotedAttr=function(a){return d(a,e.yavu)},c.uriInHTMLData=e.yufull,c.uriInHTMLComment=function(a){return e.yc(e.yufull(a))},c.uriPathInSingleQuotedAttr=function(a){return d(a,e.yavs,e.yu)},c.uriPathInDoubleQuotedAttr=function(a){return d(a,e.yavd,e.yu)},c.uriPathInUnQuotedAttr=function(a){return d(a,e.yavu,e.yu)},c.uriPathInHTMLData=e.yu,c.uriPathInHTMLComment=function(a){return e.yc(e.yu(a))},c.uriQueryInSingleQuotedAttr=c.uriPathInSingleQuotedAttr,c.uriQueryInDoubleQuotedAttr=c.uriPathInDoubleQuotedAttr,c.uriQueryInUnQuotedAttr=c.uriPathInUnQuotedAttr,c.uriQueryInHTMLData=c.uriPathInHTMLData,c.uriQueryInHTMLComment=c.uriPathInHTMLComment,c.uriComponentInSingleQuotedAttr=function(a){return e.yavs(e.yuc(a))},c.uriComponentInDoubleQuotedAttr=function(a){return e.yavd(e.yuc(a))},c.uriComponentInUnQuotedAttr=function(a){return e.yavu(e.yuc(a))},c.uriComponentInHTMLData=e.yuc,c.uriComponentInHTMLComment=function(a){return e.yc(e.yuc(a))},c.uriFragmentInSingleQuotedAttr=function(a){return e.yubl(e.yavs(e.yuc(a)))},c.uriFragmentInDoubleQuotedAttr=function(a){return e.yubl(e.yavd(e.yuc(a)))},c.uriFragmentInUnQuotedAttr=function(a){return e.yubl(e.yavu(e.yuc(a)))},c.uriFragmentInHTMLData=c.uriComponentInHTMLData,c.uriFragmentInHTMLComment=c.uriComponentInHTMLComment},{}]},{},[1])(1)}); \ No newline at end of file +!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"==typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,b.xssFilters=a()}}(function(){return function a(b,c,d){function e(g,h){if(!c[g]){if(!b[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0);if(f)return f(g,!0);var j=new Error("Cannot find module '"+g+"'");throw j.code="MODULE_NOT_FOUND",j}var k=c[g]={exports:{}};b[g][0].call(k.exports,function(a){var c=b[g][1][a];return e(c?c:a)},k,k.exports,a,b,c,d)}return c[g].exports}for(var f="function"==typeof require&&require,g=0;g=55296&&57343>=b||13===b?"�":g.frCoPt(b)):c[d||e]||a}),e?e.apply(h,i):h})}function d(a){return"\\"+a.charCodeAt(0).toString(16).toLowerCase()+" "}function e(a,b){return c(a,null,null,function(){return this.replace(b,d)})}function f(b,e){return c(b,null,null,function(){var b=g.yufull(this),c=a(b);return b=c&&w[c.toLowerCase()]?"##"+b:b,e?b.replace(e,d):b})}var g,h=/])/g,n=/[&<>"'`]/g,o=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,p=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|(Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast|ensp|emsp|thinsp);|(nbsp|amp|AMP|lt|LT|gt|GT|quot|QUOT);?)/g,q={Tab:" ",NewLine:"\n",colon:":",semi:";",lpar:"(",rpar:")",apos:"'",sol:"/",comma:",",excl:"!",ast:"*",midast:"*",ensp:" ",emsp:" ",thinsp:" ",nbsp:" ",amp:"&",lt:"<",gt:">",quot:'"',QUOT:'"'},r=/[^%#+\-\w\.]/g,s=/[\x01-\x1F\x7F\\"]/g,t=/[\x01-\x1F\x7F\\']/g,u=/['\(\)]/g,v=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,w={javascript:1,data:1,vbscript:1,mhtml:1},x=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,y=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,z={Tab:" ",NewLine:"\n"},A=String.prototype.replace,B=String.fromCodePoint||function(a){return 0===arguments.length?"":65535>=a?String.fromCharCode(a):(a-=65536,String.fromCharCode((a>>10)+55296,a%1024+56320))};return g={frCoPt:function(a){return void 0===a||null===a?"":!isFinite(a=Number(a))||0>=a||a>1114111||a>=1&&8>=a||a>=14&&31>=a||a>=127&&159>=a||a>=64976&&65007>=a||11===a||65535===(65535&a)||65534===(65535&a)?"�":B(a)},d:c,yup:function(b){return b=a(b.replace(l,"")),b?c(b,z,null,function(){return this.replace(y,"").toLowerCase()},!0):null},y:function(a){return b(a,A,n,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},ya:function(a){return b(a,A,k,"&")},yd:function(a){return b(a,A,h,"<")},yc:function(a){return b(a,A,o,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return b(a,A,i,""")},yavs:function(a){return b(a,A,j,"'")},yavu:function(a){return b(a,A,m,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":"="===a?"=":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return w[g.yup(a)]?"x-"+a:a},yufull:function(a){return g.yu(a).replace(v,function(a,b){return"//["+b+"]"})},yublf:function(a){return g.yubl(g.yufull(a))},yceu:function(a){return e(a,r)},yced:function(a){return e(a,s)},yces:function(a){return e(a,t)},yceuu:function(a){return f(a,u)},yceud:function(a){return f(a)},yceus:function(a){return f(a,j)}}};var e=c._privFilters=c._getPrivFilters();c.inHTMLData=e.yd,c.inHTMLComment=e.yc,c.inSingleQuotedAttr=e.yavs,c.inDoubleQuotedAttr=e.yavd,c.inUnQuotedAttr=e.yavu,c.uriInSingleQuotedAttr=function(a){return d(a,e.yavs)},c.uriInDoubleQuotedAttr=function(a){return d(a,e.yavd)},c.uriInUnQuotedAttr=function(a){return d(a,e.yavu)},c.uriInHTMLData=e.yufull,c.uriInHTMLComment=function(a){return e.yc(e.yufull(a))},c.uriPathInSingleQuotedAttr=function(a){return d(a,e.yavs,e.yu)},c.uriPathInDoubleQuotedAttr=function(a){return d(a,e.yavd,e.yu)},c.uriPathInUnQuotedAttr=function(a){return d(a,e.yavu,e.yu)},c.uriPathInHTMLData=e.yu,c.uriPathInHTMLComment=function(a){return e.yc(e.yu(a))},c.uriQueryInSingleQuotedAttr=c.uriPathInSingleQuotedAttr,c.uriQueryInDoubleQuotedAttr=c.uriPathInDoubleQuotedAttr,c.uriQueryInUnQuotedAttr=c.uriPathInUnQuotedAttr,c.uriQueryInHTMLData=c.uriPathInHTMLData,c.uriQueryInHTMLComment=c.uriPathInHTMLComment,c.uriComponentInSingleQuotedAttr=function(a){return e.yavs(e.yuc(a))},c.uriComponentInDoubleQuotedAttr=function(a){return e.yavd(e.yuc(a))},c.uriComponentInUnQuotedAttr=function(a){return e.yavu(e.yuc(a))},c.uriComponentInHTMLData=e.yuc,c.uriComponentInHTMLComment=function(a){return e.yc(e.yuc(a))},c.uriFragmentInSingleQuotedAttr=function(a){return e.yubl(e.yavs(e.yuc(a)))},c.uriFragmentInDoubleQuotedAttr=function(a){return e.yubl(e.yavd(e.yuc(a)))},c.uriFragmentInUnQuotedAttr=function(a){return e.yubl(e.yavu(e.yuc(a)))},c.uriFragmentInHTMLData=c.uriComponentInHTMLData,c.uriFragmentInHTMLComment=c.uriComponentInHTMLComment},{}]},{},[1])(1)}); \ No newline at end of file diff --git a/dist/xss-filters.min.js b/dist/xss-filters.min.js index 32ff030..7d31f1e 100644 --- a/dist/xss-filters.min.js +++ b/dist/xss-filters.min.js @@ -1,5 +1,5 @@ /** - * xss-filters - v1.2.2 + * xss-filters - v1.2.3 * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ -!function(a,b){function c(a,b,c){return d.yubl(b((c||d.yufull)(a)))}b.xssFilters=a,a._getPrivFilters=function(){function a(a){return a=a.split(x,2),2===a.length&&a[0]?a[0]:null}function b(a,b){return"undefined"==typeof a?"undefined":null===a?"null":b.apply(a.toString(),[].splice.call(arguments,2))}function c(a,c,d,e){c=c||q,d=d||p;var f,h=[].splice.call(arguments,4);return b(a,function(){return f=this.replace(l,"�").replace(d,function(a,b,d,e){return b?(b=Number(b[0]<="9"?b:"0"+b),128===b?"€":130===b?"‚":131===b?"ƒ":132===b?"„":133===b?"…":134===b?"†":135===b?"‡":136===b?"ˆ":137===b?"‰":138===b?"Š":139===b?"‹":140===b?"Œ":142===b?"Ž":145===b?"‘":146===b?"’":147===b?"“":148===b?"”":149===b?"•":150===b?"–":151===b?"—":152===b?"˜":153===b?"™":154===b?"š":155===b?"›":156===b?"œ":158===b?"ž":159===b?"Ÿ":b>=55296&&57343>=b||13===b?"�":g.frCoPt(b)):c[d||e]||a}),e?e.apply(f,h):f})}function d(a){return"\\"+a.charCodeAt(0).toString(16).toLowerCase()+" "}function e(a,b){return c(a,null,null,function(){return this.replace(b,d)})}function f(b,e){return c(b,null,null,function(){var b=g.yufull(this),c=a(b);return b=c&&w[c.toLowerCase()]?"##"+b:b,e?b.replace(e,d):b})}var g,h=/])/g,n=/[&<>"'`]/g,o=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,p=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|(Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast|ensp|emsp|thinsp);|(nbsp|amp|AMP|lt|LT|gt|GT|quot|QUOT);?)/g,q={Tab:" ",NewLine:"\n",colon:":",semi:";",lpar:"(",rpar:")",apos:"'",sol:"/",comma:",",excl:"!",ast:"*",midast:"*",ensp:" ",emsp:" ",thinsp:" ",nbsp:" ",amp:"&",lt:"<",gt:">",quot:'"',QUOT:'"'},r=/[^%#+\-\w\.]/g,s=/[\x01-\x1F\x7F\\"]/g,t=/[\x01-\x1F\x7F\\']/g,u=/['\(\)]/g,v=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,w={javascript:1,data:1,vbscript:1,mhtml:1},x=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,y=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,z={Tab:" ",NewLine:"\n"},A=String.prototype.replace,B=String.fromCodePoint||function(a){return 0===arguments.length?"":65535>=a?String.fromCharCode(a):(a-=65536,String.fromCharCode((a>>10)+55296,a%1024+56320))};return g={frCoPt:function(a){return void 0===a||null===a?"":!isFinite(a=Number(a))||0>=a||a>1114111||a>=1&&8>=a||a>=14&&31>=a||a>=127&&159>=a||a>=64976&&65007>=a||11===a||65535===(65535&a)||65534===(65535&a)?"�":B(a)},d:c,yup:function(b){return b=a(b.replace(l,"")),b?c(b,z,null,function(){return this.replace(y,"").toLowerCase()}):null},y:function(a){return b(a,A,n,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},ya:function(a){return b(a,A,k,"&")},yd:function(a){return b(a,A,h,"<")},yc:function(a){return b(a,A,o,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return b(a,A,i,""")},yavs:function(a){return b(a,A,j,"'")},yavu:function(a){return b(a,A,m,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return w[g.yup(a)]?"x-"+a:a},yufull:function(a){return g.yu(a).replace(v,function(a,b){return"//["+b+"]"})},yublf:function(a){return g.yubl(g.yufull(a))},yceu:function(a){return e(a,r)},yced:function(a){return e(a,s)},yces:function(a){return e(a,t)},yceuu:function(a){return f(a,u)},yceud:function(a){return f(a)},yceus:function(a){return f(a,j)}}};var d=a._privFilters=a._getPrivFilters();a.inHTMLData=d.yd,a.inHTMLComment=d.yc,a.inSingleQuotedAttr=d.yavs,a.inDoubleQuotedAttr=d.yavd,a.inUnQuotedAttr=d.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,d.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,d.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,d.yavu)},a.uriInHTMLData=d.yufull,a.uriInHTMLComment=function(a){return d.yc(d.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,d.yavs,d.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,d.yavd,d.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,d.yavu,d.yu)},a.uriPathInHTMLData=d.yu,a.uriPathInHTMLComment=function(a){return d.yc(d.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return d.yavs(d.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return d.yavd(d.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return d.yavu(d.yuc(a))},a.uriComponentInHTMLData=d.yuc,a.uriComponentInHTMLComment=function(a){return d.yc(d.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return d.yubl(d.yavs(d.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return d.yubl(d.yavd(d.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return d.yubl(d.yavu(d.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment}({},function(){return this}()); \ No newline at end of file +!function(a,b){function c(a,b,c){return d.yubl(b((c||d.yufull)(a)))}b.xssFilters=a,a._getPrivFilters=function(){function a(a){return a=a.split(x,2),2===a.length&&a[0]?a[0]:null}function b(a,b){return"undefined"==typeof a?"undefined":null===a?"null":b.apply(a.toString(),[].splice.call(arguments,2))}function c(a,c,d,e,f){c=c||q,d=d||p;var h,i=[].splice.call(arguments,4);return b(a,function(){return h=this.replace(l,"�").replace(d,function(a,b,d,e){return b?(b=Number(b[0]<="9"?b:"0"+b),f?B(b):128===b?"€":130===b?"‚":131===b?"ƒ":132===b?"„":133===b?"…":134===b?"†":135===b?"‡":136===b?"ˆ":137===b?"‰":138===b?"Š":139===b?"‹":140===b?"Œ":142===b?"Ž":145===b?"‘":146===b?"’":147===b?"“":148===b?"”":149===b?"•":150===b?"–":151===b?"—":152===b?"˜":153===b?"™":154===b?"š":155===b?"›":156===b?"œ":158===b?"ž":159===b?"Ÿ":b>=55296&&57343>=b||13===b?"�":g.frCoPt(b)):c[d||e]||a}),e?e.apply(h,i):h})}function d(a){return"\\"+a.charCodeAt(0).toString(16).toLowerCase()+" "}function e(a,b){return c(a,null,null,function(){return this.replace(b,d)})}function f(b,e){return c(b,null,null,function(){var b=g.yufull(this),c=a(b);return b=c&&w[c.toLowerCase()]?"##"+b:b,e?b.replace(e,d):b})}var g,h=/])/g,n=/[&<>"'`]/g,o=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,p=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|(Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast|ensp|emsp|thinsp);|(nbsp|amp|AMP|lt|LT|gt|GT|quot|QUOT);?)/g,q={Tab:" ",NewLine:"\n",colon:":",semi:";",lpar:"(",rpar:")",apos:"'",sol:"/",comma:",",excl:"!",ast:"*",midast:"*",ensp:" ",emsp:" ",thinsp:" ",nbsp:" ",amp:"&",lt:"<",gt:">",quot:'"',QUOT:'"'},r=/[^%#+\-\w\.]/g,s=/[\x01-\x1F\x7F\\"]/g,t=/[\x01-\x1F\x7F\\']/g,u=/['\(\)]/g,v=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,w={javascript:1,data:1,vbscript:1,mhtml:1},x=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,y=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,z={Tab:" ",NewLine:"\n"},A=String.prototype.replace,B=String.fromCodePoint||function(a){return 0===arguments.length?"":65535>=a?String.fromCharCode(a):(a-=65536,String.fromCharCode((a>>10)+55296,a%1024+56320))};return g={frCoPt:function(a){return void 0===a||null===a?"":!isFinite(a=Number(a))||0>=a||a>1114111||a>=1&&8>=a||a>=14&&31>=a||a>=127&&159>=a||a>=64976&&65007>=a||11===a||65535===(65535&a)||65534===(65535&a)?"�":B(a)},d:c,yup:function(b){return b=a(b.replace(l,"")),b?c(b,z,null,function(){return this.replace(y,"").toLowerCase()},!0):null},y:function(a){return b(a,A,n,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},ya:function(a){return b(a,A,k,"&")},yd:function(a){return b(a,A,h,"<")},yc:function(a){return b(a,A,o,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return b(a,A,i,""")},yavs:function(a){return b(a,A,j,"'")},yavu:function(a){return b(a,A,m,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":"="===a?"=":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return w[g.yup(a)]?"x-"+a:a},yufull:function(a){return g.yu(a).replace(v,function(a,b){return"//["+b+"]"})},yublf:function(a){return g.yubl(g.yufull(a))},yceu:function(a){return e(a,r)},yced:function(a){return e(a,s)},yces:function(a){return e(a,t)},yceuu:function(a){return f(a,u)},yceud:function(a){return f(a)},yceus:function(a){return f(a,j)}}};var d=a._privFilters=a._getPrivFilters();a.inHTMLData=d.yd,a.inHTMLComment=d.yc,a.inSingleQuotedAttr=d.yavs,a.inDoubleQuotedAttr=d.yavd,a.inUnQuotedAttr=d.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,d.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,d.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,d.yavu)},a.uriInHTMLData=d.yufull,a.uriInHTMLComment=function(a){return d.yc(d.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,d.yavs,d.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,d.yavd,d.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,d.yavu,d.yu)},a.uriPathInHTMLData=d.yu,a.uriPathInHTMLComment=function(a){return d.yc(d.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return d.yavs(d.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return d.yavd(d.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return d.yavu(d.yuc(a))},a.uriComponentInHTMLData=d.yuc,a.uriComponentInHTMLComment=function(a){return d.yc(d.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return d.yubl(d.yavs(d.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return d.yubl(d.yavd(d.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return d.yubl(d.yavu(d.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment}({},function(){return this}()); \ No newline at end of file diff --git a/package.json b/package.json index 718570c..949758d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "xss-filters", - "version": "1.2.2", + "version": "1.2.3", "licenses": [ { "type": "BSD", diff --git a/src/xss-filters.js b/src/xss-filters.js index 4c9a34f..57c7992 100644 --- a/src/xss-filters.js +++ b/src/xss-filters.js @@ -16,7 +16,7 @@ exports._getPrivFilters = function () { SQUOT = /'/g, AMP = /&/g, NULL = /\x00/g, - SPECIAL_ATTR_VALUE_UNQUOTED_CHARS = /(?:^(?:["'`]|\x00+$|$)|[\x09-\x0D >])/g, + SPECIAL_ATTR_VALUE_UNQUOTED_CHARS = /(?:^$|[\x00\x09-\x0D "'`=<>])/g, SPECIAL_HTML_CHARS = /[&<>"'`]/g, SPECIAL_COMMENT_CHARS = /(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g; @@ -79,7 +79,7 @@ exports._getPrivFilters = function () { } - function htmlDecode(s, namedRefMap, reNamedRef, callback) { + function htmlDecode(s, namedRefMap, reNamedRef, callback, skipReplacement) { namedRefMap = namedRefMap || SENSITIVE_NAMED_REF_MAP; reNamedRef = reNamedRef || SENSITIVE_HTML_ENTITIES; @@ -121,7 +121,8 @@ exports._getPrivFilters = function () { // // num >= 0xD800 && num <= 0xDFFF, and 0x0D is separately handled, as it doesn't fall into the range of x.pec() // return (num >= 0xD800 && num <= 0xDFFF) || num === 0x0D ? '\uFFFD' : x.frCoPt(num); - return num === 0x80 ? '\u20AC' // EURO SIGN (€) + return skipReplacement ? fromCodePoint(num) + : num === 0x80 ? '\u20AC' // EURO SIGN (€) : num === 0x82 ? '\u201A' // SINGLE LOW-9 QUOTATION MARK (‚) : num === 0x83 ? '\u0192' // LATIN SMALL LETTER F WITH HOOK (ƒ) : num === 0x84 ? '\u201E' // DOUBLE LOW-9 QUOTATION MARK („) @@ -205,7 +206,7 @@ exports._getPrivFilters = function () { // URI_PROTOCOL_WHITESPACES is required for left trim and remove interim whitespaces return s ? htmlDecode(s, URI_PROTOCOL_NAMED_REF_MAP, null, function() { return this.replace(URI_PROTOCOL_WHITESPACES, '').toLowerCase(); - }): null; + }, true): null; }, /* @@ -309,11 +310,13 @@ exports._getPrivFilters = function () { : m === '\f' ? ' ' // in hex: 0C : m === '\r' ? ' ' // in hex: 0D : m === ' ' ? ' ' // in hex: 20 + : m === '=' ? '=' // in hex: 3D + : m === '<' ? '<' : m === '>' ? '>' : m === '"' ? '"' : m === "'" ? ''' : m === '`' ? '`' - : /*empty or all null*/ '\uFFFD'; + : /*empty or null*/ '\uFFFD'; }); }, @@ -511,7 +514,7 @@ exports.inDoubleQuotedAttr = privFilters.yavd; * @function module:xss-filters#inUnQuotedAttr * * @param {string} s - An untrusted user input -* @returns {string} If s contains any state breaking chars (\t, \n, \v, \f, \r, space, and >), they are escaped and encoded into their equivalent HTML entity representations. If s starts with ', " or `, they are escaped to enforce the attr value (unquoted) state. If the whole string is empty or all null, inject a \uFFFD character. +* @returns {string} If s contains any state breaking chars (\t, \n, \v, \f, \r, space, null, ', ", `, <, >, and =), they are escaped and encoded into their equivalent HTML entity representations. If the string is empty, inject a \uFFFD character. * * @description *

Warning: This is NOT designed for any onX (e.g., onclick) attributes!

diff --git a/tests/unit/private-xss-filters.js b/tests/unit/private-xss-filters.js index 7967e91..a140800 100644 --- a/tests/unit/private-xss-filters.js +++ b/tests/unit/private-xss-filters.js @@ -248,10 +248,14 @@ Authors: Nera Liu it('filter yav-unquoted state transition test', function() { testutils.test_yav(filter.yavu, [ - 'foo&<>\'"` ', ' ', '\uFFFD', - "''", " ''", " ''", " ''", " ''", - '""', ' ""', ' ""', ' ""', ' ""', - '``', ' ``', ' ``', ' ``', ' ``']); + 'foo&<>'"` ', ' ', '\uFFFD', + "''", " ''", " ''", " ''", " ''", + '""', ' ""', ' ""', ' ""', ' ""', + '``', ' ``', ' ``', ' ``', ' ``']); + + var s = "\x00=<>''onerror=alert(1)"; + var o = filter.yavu(s); + expect(o).to.eql("\uFFFD=<>''onerror=alert(1)"); }); it('filter yu state transition test', function() { @@ -274,11 +278,29 @@ Authors: Nera Liu }); it('filter yufull state transition test', function() { - testutils.test_yufull(filter.yufull, ['http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]']); + testutils.test_yufull(filter.yufull, [ + null, // default + null, // default + null, // default + null, // default + null, // default + 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]', + null, // default + null // default + ]); }); it('filter yublf state transition test', function() { - testutils.test_yufull(filter.yublf, ['http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]']); + testutils.test_yufull(filter.yublf, [ + null, // default + null, // default + null, // default + null, // default + null, // default + 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]', + null, // default + null // default + ]); testutils.test_yubl(filter.yublf, [ '%01%02%03%04%05%06%07%08%09%0A%0B%0C%0D%0E%0F%10%11%12%13%14%15%16%17%18%19%1A%1B%1C%1D%1E%1F%20j%0Aava%0Dscript%09&col%00on;' ]); diff --git a/tests/unit/xss-filters.js b/tests/unit/xss-filters.js index 62bca23..2957f7b 100644 --- a/tests/unit/xss-filters.js +++ b/tests/unit/xss-filters.js @@ -214,10 +214,10 @@ Authors: Nera Liu */ it('filter inUnQuotedAttr state transition test', function() { testutils.test_yav(filter.inUnQuotedAttr, [ - 'foo&<>\'"` ', ' ', '\uFFFD', - "''", " ''", " ''", " ''", " ''", - '""', ' ""', ' ""', ' ""', ' ""', - '``', ' ``', ' ``', ' ``', ' ``']); + 'foo&<>'"` ', ' ', '\uFFFD', + "''", " ''", " ''", " ''", " ''", + '""', ' ""', ' ""', ' ""', ' ""', + '``', ' ``', ' ``', ' ``', ' ``']); }); @@ -230,7 +230,16 @@ Authors: Nera Liu '''', '%20''', '%09''', '%0A''', '%0C''', '%22%22', '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22', '%60%60', '%20%60%60', '%09%60%60', '%0A%60%60', '%0C%60%60']); - testutils.test_yufull(filter.uriInSingleQuotedAttr, ['http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]']); + testutils.test_yufull(filter.uriInSingleQuotedAttr, [ + null, // default + null, // default + null, // default + null, // default + null, // default + 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]', + null, // default + null // default + ]); testutils.test_yubl(filter.uriInSingleQuotedAttr); }); it('filter uriInDoubleQuotedAttr state transition test', function() { @@ -240,22 +249,49 @@ Authors: Nera Liu '\'\'', '%20\'\'', '%09\'\'', '%0A\'\'', '%0C\'\'', '%22%22', '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22', '%60%60', '%20%60%60', '%09%60%60', '%0A%60%60', '%0C%60%60']); - testutils.test_yufull(filter.uriInDoubleQuotedAttr, ['http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]']); + testutils.test_yufull(filter.uriInDoubleQuotedAttr, [ + null, // default + null, // default + null, // default + null, // default + null, // default + 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]', + null, // default + null // default + ]); testutils.test_yubl(filter.uriInDoubleQuotedAttr); }); it('filter uriInUnQuotedAttr state transition test', function() { // encodeURI('foo&<>\'"` \t\n\v\f\r') = foo&%3C%3E'%22%60%20%09%0A%0B%0C%0D testutils.test_yav(filter.uriInUnQuotedAttr, [ - 'foo&%3C%3E\'%22%60%20%09%0A%0B%0C%0D', '%0C', '\uFFFD', - ''\'', '%20\'\'', '%09\'\'', '%0A\'\'', '%0C\'\'', + 'foo&%3C%3E'%22%60%20%09%0A%0B%0C%0D', '%0C', '\uFFFD', + '''', '%20''', '%09''', '%0A''', '%0C''', '%22%22', '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22', '%60%60', '%20%60%60', '%09%60%60', '%0A%60%60', '%0C%60%60']); - testutils.test_yufull(filter.uriInUnQuotedAttr, ['http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]']); + testutils.test_yufull(filter.uriInUnQuotedAttr, [ + 'http://6.6.6.6/?q=%5Bsomewhere%5D', + null, // default + null, // default + null, // default + null, // default + 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]', + null, // default + '%5B%5D?&=#/:;' + ]); testutils.test_yubl(filter.uriInUnQuotedAttr); }); it('filter uriInHTMLData state transition test', function() { testutils.test_yd(filter.uriInHTMLData, ['foo&%3C%3E\'%22']); - testutils.test_yufull(filter.uriInHTMLData, ['http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]']); + testutils.test_yufull(filter.uriInHTMLData, [ + null, // default + null, // default + null, // default + null, // default + null, // default + 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]', + null, // default + null // default + ]); }); it('filter uriInHTMLComment state transition test', function() { testutils.test_yc(filter.uriInHTMLComment, [ @@ -268,7 +304,16 @@ Authors: Nera Liu '%3E%3Cscript%3Ealert(1)%3C/script%3E', '----------%3E%3Cscript%3Ealert(1)%3C/script%3E', '--%00%3E']); - testutils.test_yufull(filter.uriInHTMLComment, ['http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334] ']); + testutils.test_yufull(filter.uriInHTMLComment, [ + null, // default + null, // default + null, // default + null, // default + null, // default + 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334] ', + null, // default + null // default + ]); }); @@ -296,11 +341,20 @@ Authors: Nera Liu it('filter uriPathInUnQuotedAttr state transition test', function() { // encodeURI('foo&<>\'"` \t\n\v\f\r') = foo&%3C%3E'%22%60%20%09%0A%0B%0C%0D testutils.test_yav(filter.uriPathInUnQuotedAttr, [ - 'foo&%3C%3E\'%22%60%20%09%0A%0B%0C%0D', '%0C', '\uFFFD', - ''\'', '%20\'\'', '%09\'\'', '%0A\'\'', '%0C\'\'', + 'foo&%3C%3E'%22%60%20%09%0A%0B%0C%0D', '%0C', '\uFFFD', + '''', '%20''', '%09''', '%0A''', '%0C''', '%22%22', '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22', '%60%60', '%20%60%60', '%09%60%60', '%0A%60%60', '%0C%60%60']); - testutils.test_yu(filter.uriPathInUnQuotedAttr); + testutils.test_yu(filter.uriPathInUnQuotedAttr, [ + 'http://6.6.6.6/?q=%5Bsomewhere%5D', + null, // default + null, // default + null, // default + null, // default + null, // default + null, // default + '%5B%5D?&=#/:;' + ]); testutils.test_yubl(filter.uriPathInUnQuotedAttr); }); it('filter uriPathInHTMLData state transition test', function() { @@ -344,8 +398,8 @@ Authors: Nera Liu it('filter uriComponentInUnQuotedAttr state transition test', function() { // encodeURIComponent('foo&<>\'"` \t\n\v\f\r') = foo%26%3C%3E'%22%60%20%09%0A%0B%0C%0D testutils.test_yav(filter.uriComponentInUnQuotedAttr, [ - 'foo%26%3C%3E\'%22%60%20%09%0A%0B%0C%0D', '%0C', '\uFFFD', - ''\'', '%20\'\'', '%09\'\'', '%0A\'\'', '%0C\'\'', + 'foo%26%3C%3E'%22%60%20%09%0A%0B%0C%0D', '%0C', '\uFFFD', + '''', '%20''', '%09''', '%0A''', '%0C''', '%22%22', '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22', '%60%60', '%20%60%60', '%09%60%60', '%0A%60%60', '%0C%60%60']); testutils.test_yuc(filter.uriComponentInUnQuotedAttr); @@ -391,8 +445,8 @@ Authors: Nera Liu it('filter uriFragmentInUnQuotedAttr state transition test', function() { // encodeuriFragment('foo&<>\'"` \t\n\v\f\r') = foo%26%3C%3E'%22%60%20%09%0A%0B%0C%0D testutils.test_yav(filter.uriFragmentInUnQuotedAttr, [ - 'foo%26%3C%3E\'%22%60%20%09%0A%0B%0C%0D', '%0C', '\uFFFD', - ''\'', '%20\'\'', '%09\'\'', '%0A\'\'', '%0C\'\'', + 'foo%26%3C%3E'%22%60%20%09%0A%0B%0C%0D', '%0C', '\uFFFD', + '''', '%20''', '%09''', '%0A''', '%0C''', '%22%22', '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22', '%60%60', '%20%60%60', '%09%60%60', '%0A%60%60', '%0C%60%60']); testutils.test_yuc(filter.uriFragmentInUnQuotedAttr); diff --git a/tests/utils.js b/tests/utils.js index 916af68..f5fe298 100644 --- a/tests/utils.js +++ b/tests/utils.js @@ -139,6 +139,7 @@ exports.test_yubl = function (filter, expectedResults) { 'JavascripT:alert(0)', 'javascript:alert(0)', 'javascript:javascript:alert(0)', + ' javascript:alert(1)', 'vbscript:', ' vbscripT�:', @@ -166,9 +167,10 @@ exports.test_yubl = function (filter, expectedResults) { 'x-JavascripT:alert(0)', 'x-javascript:alert(0)', 'x-javascript:javascript:alert(0)', + 'x- javascript:alert(1)', 'x-vbscript:', - ' vbscripT�:', + 'x- vbscripT�:', 'https://www.yahoo.com', 'http://www.yahoo.com', @@ -192,39 +194,41 @@ exports.test_yubl = function (filter, expectedResults) { }); }; -exports.test_yu = function (filter) { +exports.test_yu = function (filter, expectedResults) { + expectedResults = expectedResults || []; + var str, o; str = 'http://6.6.6.6/?q=[somewhere]'; o = filter(str); - expect(o).to.eql(encodeURI(str)); + expect(o).to.eql(expectedResults[0] || encodeURI(str)); str = 'http://6.6.6.6/somewhere'; o = filter(str); - expect(o).to.eql(encodeURI(str)); + expect(o).to.eql(expectedResults[1] || encodeURI(str)); str = '//6.6.6.6/somewhere'; o = filter(str); - expect(o).to.eql(encodeURI(str)); + expect(o).to.eql(expectedResults[2] || encodeURI(str)); str = 'http://[6.6.6.6]/somewhere'; o = filter(str); - expect(o).to.eql(encodeURI(str)); + expect(o).to.eql(expectedResults[3] || encodeURI(str)); str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]/somewhere'; o = filter(str); - expect(o).to.eql(encodeURI(str)); + expect(o).to.eql(expectedResults[4] || encodeURI(str)); str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]'; o = filter(str); - expect(o).to.eql(encodeURI(str)); + expect(o).to.eql(expectedResults[5] || encodeURI(str)); str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:80'; o = filter(str); - expect(o).to.eql(encodeURI(str)); + expect(o).to.eql(expectedResults[6] || encodeURI(str)); str = '[]?&=#/:;'; o = filter(str); - expect(o).to.eql(encodeURI(str)); + expect(o).to.eql(expectedResults[7] || encodeURI(str)); // an feature indicator of which encodeURI()/encodeURIComponent() is used str = 'foo\uD800'; @@ -236,41 +240,40 @@ exports.test_yu = function (filter) { }; exports.test_yufull = function (filter, expectedResults) { - if (!expectedResults || expectedResults.length !== 1) - throw new Error('must take 1 expected results'); + expectedResults = expectedResults || []; var str, o; str = 'http://6.6.6.6/?q=[somewhere]'; o = filter(str); - expect(o).to.eql('http://6.6.6.6/?q=%5Bsomewhere%5D'); + expect(o).to.eql(expectedResults[0] || 'http://6.6.6.6/?q=%5Bsomewhere%5D'); str = 'http://6.6.6.6/somewhere'; o = filter(str); - expect(o).to.eql(encodeURI(str)); + expect(o).to.eql(expectedResults[1] || encodeURI(str)); str = '//6.6.6.6/somewhere'; o = filter(str); - expect(o).to.eql(encodeURI(str)); + expect(o).to.eql(expectedResults[2] || encodeURI(str)); str = 'http://[6.6.6.6]/somewhere'; o = filter(str); - expect(o).to.eql(encodeURI(str)); + expect(o).to.eql(expectedResults[3] || encodeURI(str)); str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]/somewhere'; o = filter(str); - expect(o).to.eql(str); + expect(o).to.eql(expectedResults[4] || str); str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]'; o = filter(str); - expect(o).to.eql(expectedResults[0]); + expect(o).to.eql(expectedResults[5] || str); str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:80'; o = filter(str); - expect(o).to.eql(str); + expect(o).to.eql(expectedResults[6] || str); str = '[]?&=#/:;'; o = filter(str); - expect(o).to.eql(encodeURI(str)); + expect(o).to.eql(expectedResults[7] || encodeURI(str)); // an feature indicator of which encodeURI()/encodeURIComponent() is used str = 'foo\uD800';