diff options
| author | Anton Luka Šijanec <sijanecantonluka@gmail.com> | 2020-02-09 00:38:26 +0100 |
|---|---|---|
| committer | Anton Luka Šijanec <sijanecantonluka@gmail.com> | 2020-02-09 00:38:26 +0100 |
| commit | 70aa7a5cb9de83c0966985618d6e6d4d4400dd0d (patch) | |
| tree | 034c862909cbd070e03612395b9a6d85a1c2c9eb /node_modules/xss | |
| parent | added http://beziapp/?m=Name Surname to redirect to the messaging page with prefilled recipient (diff) | |
| download | beziapp-70aa7a5cb9de83c0966985618d6e6d4d4400dd0d.tar beziapp-70aa7a5cb9de83c0966985618d6e6d4d4400dd0d.tar.gz beziapp-70aa7a5cb9de83c0966985618d6e6d4d4400dd0d.tar.bz2 beziapp-70aa7a5cb9de83c0966985618d6e6d4d4400dd0d.tar.lz beziapp-70aa7a5cb9de83c0966985618d6e6d4d4400dd0d.tar.xz beziapp-70aa7a5cb9de83c0966985618d6e6d4d4400dd0d.tar.zst beziapp-70aa7a5cb9de83c0966985618d6e6d4d4400dd0d.zip | |
Diffstat (limited to '')
| -rw-r--r-- | js/lib/xss.js (renamed from node_modules/xss/dist/xss.js) | 11 | ||||
| -rw-r--r-- | node_modules/xss/LICENSE | 23 | ||||
| -rw-r--r-- | node_modules/xss/README.md | 499 | ||||
| -rw-r--r-- | node_modules/xss/README.zh.md | 485 | ||||
| -rwxr-xr-x | node_modules/xss/bin/xss | 67 | ||||
| -rw-r--r-- | node_modules/xss/dist/test.html | 15 | ||||
| -rw-r--r-- | node_modules/xss/dist/xss.min.js | 1 | ||||
| -rw-r--r-- | node_modules/xss/lib/cli.js | 45 | ||||
| -rw-r--r-- | node_modules/xss/lib/default.js | 415 | ||||
| -rw-r--r-- | node_modules/xss/lib/index.js | 40 | ||||
| -rw-r--r-- | node_modules/xss/lib/parser.js | 239 | ||||
| -rw-r--r-- | node_modules/xss/lib/util.js | 34 | ||||
| -rw-r--r-- | node_modules/xss/lib/xss.js | 211 | ||||
| -rw-r--r-- | node_modules/xss/package.json | 92 | ||||
| -rw-r--r-- | node_modules/xss/typings/xss.d.ts | 189 |
15 files changed, 8 insertions, 2358 deletions
diff --git a/node_modules/xss/dist/xss.js b/js/lib/xss.js index 9583a6b..bddbdd8 100644 --- a/node_modules/xss/dist/xss.js +++ b/js/lib/xss.js @@ -151,15 +151,19 @@ function safeAttrValue(tag, name, value, cssFilter) { if (name === "href" || name === "src") { // filter `href` and `src` attribute - // only allow the value that starts with `http://` | `https://` | `mailto:` | `/` | `#` + // only allow the value that starts with `http://` | `https://` | `mailto:` | `/` | `#` | and others value = _.trim(value); if (value === "#") return "#"; if ( !( value.substr(0, 7) === "http://" || value.substr(0, 8) === "https://" || + value.substr(0, 6) === "ftp://" || value.substr(0, 7) === "mailto:" || value.substr(0, 4) === "tel:" || + value.substr(0, 11) === "data:image/" || + value.substr(0, 2) === "./" || + value.substr(0, 3) === "../" || value[0] === "#" || value[0] === "/" ) @@ -504,7 +508,7 @@ function isClosing(html) { * @return {String} */ function parseTag(html, onTag, escapeHtml) { - "user strict"; + "use strict"; var rethtml = ""; var lastPos = 0; @@ -574,7 +578,7 @@ var REGEXP_ILLEGAL_ATTR_NAME = /[^a-zA-Z0-9_:\.\-]/gim; * @return {String} */ function parseAttr(html, onAttr) { - "user strict"; + "use strict"; var lastPos = 0; var retAttrs = []; @@ -1607,3 +1611,4 @@ module.exports = { }; },{}]},{},[2]); + diff --git a/node_modules/xss/LICENSE b/node_modules/xss/LICENSE deleted file mode 100644 index f840eb4..0000000 --- a/node_modules/xss/LICENSE +++ /dev/null @@ -1,23 +0,0 @@ -Copyright (c) 2012-2018 Zongmin Lei(雷宗民) <leizongmin@gmail.com> -http://ucdok.com - -The MIT License - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -"Software"), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file diff --git a/node_modules/xss/README.md b/node_modules/xss/README.md deleted file mode 100644 index 4f202f1..0000000 --- a/node_modules/xss/README.md +++ /dev/null @@ -1,499 +0,0 @@ -[![NPM version][npm-image]][npm-url] -[![build status][travis-image]][travis-url] -[![Test coverage][coveralls-image]][coveralls-url] -[![David deps][david-image]][david-url] -[![node version][node-image]][node-url] -[![npm download][download-image]][download-url] -[![npm license][license-image]][download-url] - -[npm-image]: https://img.shields.io/npm/v/xss.svg?style=flat-square -[npm-url]: https://npmjs.org/package/xss -[travis-image]: https://img.shields.io/travis/leizongmin/js-xss.svg?style=flat-square -[travis-url]: https://travis-ci.org/leizongmin/js-xss -[coveralls-image]: https://img.shields.io/coveralls/leizongmin/js-xss.svg?style=flat-square -[coveralls-url]: https://coveralls.io/r/leizongmin/js-xss?branch=master -[david-image]: https://img.shields.io/david/leizongmin/js-xss.svg?style=flat-square -[david-url]: https://david-dm.org/leizongmin/js-xss -[node-image]: https://img.shields.io/badge/node.js-%3E=_0.10-green.svg?style=flat-square -[node-url]: http://nodejs.org/download/ -[download-image]: https://img.shields.io/npm/dm/xss.svg?style=flat-square -[download-url]: https://npmjs.org/package/xss -[license-image]: https://img.shields.io/npm/l/xss.svg - -# Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist. - -[](https://greenkeeper.io/) - - - ---- - -`xss` is a module used to filter input from users to prevent XSS attacks. -([What is XSS attack?](http://en.wikipedia.org/wiki/Cross-site_scripting)) - -**Project Homepage:** http://jsxss.com - -**Try Online:** http://jsxss.com/en/try.html - -**[中文版文档](https://github.com/leizongmin/js-xss/blob/master/README.zh.md)** - ---- - -## Features - -* Specifies HTML tags and their attributes allowed with whitelist -* Handle any tags or attributes using custom function. - -## Reference - -* [XSS Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet) -* [Data URI scheme](http://en.wikipedia.org/wiki/Data_URI_scheme) -* [XSS with Data URI Scheme](http://hi.baidu.com/badzzzz/item/bdbafe83144619c199255f7b) - -## Benchmark (for references only) - -* the xss module: 8.2 MB/s -* `xss()` function from module `validator@0.3.7`: 4.4 MB/s - -For test code please refer to `benchmark` directory. - -## They are using xss module - -* **nodeclub** - A Node.js bbs using MongoDB - https://github.com/cnodejs/nodeclub -* **cnpmjs.org** - Private npm registry and web for Enterprise - https://github.com/cnpm/cnpmjs.org - -## Install - -### NPM - -```bash -npm install xss -``` - -### Bower - -```bash -bower install xss -``` - -Or - -```bash -bower install https://github.com/leizongmin/js-xss.git -``` - -## Usages - -### On Node.js - -```javascript -var xss = require("xss"); -var html = xss('<script>alert("xss");</script>'); -console.log(html); -``` - -### On Browser - -Shim mode (reference file `test/test.html`): - -```html -<script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script> -<script> -// apply function filterXSS in the same way -var html = filterXSS('<script>alert("xss");</scr' + 'ipt>'); -alert(html); -</script> -``` - -AMD mode - shim: - -```html -<script> -require.config({ - baseUrl: './', - paths: { - xss: 'https://rawgit.com/leizongmin/js-xss/master/dist/xss.js' - }, - shim: { - xss: {exports: 'filterXSS'} - } -}) -require(['xss'], function (xss) { - var html = xss('<script>alert("xss");</scr' + 'ipt>'); - alert(html); -}); -</script> -``` - -**Notes: please don't use the URL https://rawgit.com/leizongmin/js-xss/master/dist/xss.js in production environment.** - -## Command Line Tool - -### Process File - -You can use the xss command line tool to process a file. Usage: - -```bash -xss -i <input_file> -o <output_file> -``` - -Example: - -```bash -xss -i origin.html -o target.html -``` - -### Active Test - -Run the following command, them you can type HTML -code in the command-line, and check the filtered output: - -```bash -xss -t -``` - -For more details, please run `$ xss -h` to see it. - -## Custom filter rules - -When using the `xss()` function, the second parameter could be used to specify -custom rules: - -```javascript -options = {}; // Custom rules -html = xss('<script>alert("xss");</script>', options); -``` - -To avoid passing `options` every time, you can also do it in a faster way by -creating a `FilterXSS` instance: - -```javascript -options = {}; // Custom rules -myxss = new xss.FilterXSS(options); -// then apply myxss.process() -html = myxss.process('<script>alert("xss");</script>'); -``` - -Details of parameters in `options` would be described below. - -### Whitelist - -By specifying a `whiteList`, e.g. `{ 'tagName': [ 'attr-1', 'attr-2' ] }`. Tags -and attributes not in the whitelist would be filter out. For example: - -```javascript -// only tag a and its attributes href, title, target are allowed -var options = { - whiteList: { - a: ["href", "title", "target"] - } -}; -// With the configuration specified above, the following HTML: -// <a href="#" onclick="hello()"><i>Hello</i></a> -// would become: -// <a href="#">Hello</a> -``` - -For the default whitelist, please refer `xss.whiteList`. - -### Customize the handler function for matched tags - -By specifying the handler function with `onTag`: - -```javascript -function onTag(tag, html, options) { - // tag is the name of current tag, e.g. 'a' for tag <a> - // html is the HTML of this tag, e.g. '<a>' for tag <a> - // options is some addition informations: - // isWhite boolean, whether the tag is in whitelist - // isClosing boolean, whether the tag is a closing tag, e.g. true for </a> - // position integer, the position of the tag in output result - // sourcePosition integer, the position of the tag in input HTML source - // If a string is returned, the current tag would be replaced with the string - // If return nothing, the default measure would be taken: - // If in whitelist: filter attributes using onTagAttr, as described below - // If not in whitelist: handle by onIgnoreTag, as described below -} -``` - -### Customize the handler function for attributes of matched tags - -By specifying the handler function with `onTagAttr`: - -```javascript -function onTagAttr(tag, name, value, isWhiteAttr) { - // tag is the name of current tag, e.g. 'a' for tag <a> - // name is the name of current attribute, e.g. 'href' for href="#" - // isWhiteAttr whether the attribute is in whitelist - // If a string is returned, the attribute would be replaced with the string - // If return nothing, the default measure would be taken: - // If in whitelist: filter the value using safeAttrValue as described below - // If not in whitelist: handle by onIgnoreTagAttr, as described below -} -``` - -### Customize the handler function for tags not in the whitelist - -By specifying the handler function with `onIgnoreTag`: - -```javascript -function onIgnoreTag(tag, html, options) { - // Parameters are the same with onTag - // If a string is returned, the tag would be replaced with the string - // If return nothing, the default measure would be taken (specifies using - // escape, as described below) -} -``` - -### Customize the handler function for attributes not in the whitelist - -By specifying the handler function with `onIgnoreTagAttr`: - -```javascript -function onIgnoreTagAttr(tag, name, value, isWhiteAttr) { - // Parameters are the same with onTagAttr - // If a string is returned, the value would be replaced with this string - // If return nothing, then keep default (remove the attribute) -} -``` - -### Customize escaping function for HTML - -By specifying the handler function with `escapeHtml`. Following is the default -function **(Modification is not recommended)**: - -```javascript -function escapeHtml(html) { - return html.replace(/</g, "<").replace(/>/g, ">"); -} -``` - -### Customize escaping function for value of attributes - -By specifying the handler function with `safeAttrValue`: - -```javascript -function safeAttrValue(tag, name, value) { - // Parameters are the same with onTagAttr (without options) - // Return the value as a string -} -``` - -### Customize CSS filter - -If you allow the attribute `style`, the value will be processed by [cssfilter](https://github.com/leizongmin/js-css-filter) module. The cssfilter module includes a default css whitelist. You can specify the options for cssfilter module like this: - -```javascript -myxss = new xss.FilterXSS({ - css: { - whiteList: { - position: /^fixed|relative$/, - top: true, - left: true - } - } -}); -html = myxss.process('<script>alert("xss");</script>'); -``` - -If you don't want to filter out the `style` content, just specify `false` to the `css` option: - -```javascript -myxss = new xss.FilterXSS({ - css: false -}); -``` - -For more help, please see https://github.com/leizongmin/js-css-filter - -### Quick Start - -#### Filter out tags not in the whitelist - -By using `stripIgnoreTag` parameter: - -* `true` filter out tags not in the whitelist -* `false`: by default: escape the tag using configured `escape` function - -Example: - -If `stripIgnoreTag = true` is set, the following code: - -```html -code:<script>alert(/xss/);</script> -``` - -would output filtered: - -```html -code:alert(/xss/); -``` - -#### Filter out tags and tag bodies not in the whitelist - -By using `stripIgnoreTagBody` parameter: - -* `false|null|undefined` by default: do nothing -* `'*'|true`: filter out all tags not in the whitelist -* `['tag1', 'tag2']`: filter out only specified tags not in the whitelist - -Example: - -If `stripIgnoreTagBody = ['script']` is set, the following code: - -```html -code:<script>alert(/xss/);</script> -``` - -would output filtered: - -```html -code: -``` - -#### Filter out HTML comments - -By using `allowCommentTag` parameter: - -* `true`: do nothing -* `false` by default: filter out HTML comments - -Example: - -If `allowCommentTag = false` is set, the following code: - -```html -code:<!-- something --> END -``` - -would output filtered: - -```html -code: END -``` - -## Examples - -### Allow attributes of whitelist tags start with `data-` - -```javascript -var source = '<div a="1" b="2" data-a="3" data-b="4">hello</div>'; -var html = xss(source, { - onIgnoreTagAttr: function(tag, name, value, isWhiteAttr) { - if (name.substr(0, 5) === "data-") { - // escape its value using built-in escapeAttrValue function - return name + '="' + xss.escapeAttrValue(value) + '"'; - } - } -}); - -console.log("%s\nconvert to:\n%s", source, html); -``` - -Result: - -```html -<div a="1" b="2" data-a="3" data-b="4">hello</div> -convert to: -<div data-a="3" data-b="4">hello</div> -``` - -### Allow tags start with `x-` - -```javascript -var source = "<x><x-1>he<x-2 checked></x-2>wwww</x-1><a>"; -var html = xss(source, { - onIgnoreTag: function(tag, html, options) { - if (tag.substr(0, 2) === "x-") { - // do not filter its attributes - return html; - } - } -}); - -console.log("%s\nconvert to:\n%s", source, html); -``` - -Result: - -```html -<x><x-1>he<x-2 checked></x-2>wwww</x-1><a> -convert to: -<x><x-1>he<x-2 checked></x-2>wwww</x-1><a> -``` - -### Parse images in HTML - -```javascript -var source = - '<img src="img1">a<img src="img2">b<img src="img3">c<img src="img4">d'; -var list = []; -var html = xss(source, { - onTagAttr: function(tag, name, value, isWhiteAttr) { - if (tag === "img" && name === "src") { - // Use the built-in friendlyAttrValue function to escape attribute - // values. It supports converting entity tags such as < to printable - // characters such as < - list.push(xss.friendlyAttrValue(value)); - } - // Return nothing, means keep the default handling measure - } -}); - -console.log("image list:\n%s", list.join(", ")); -``` - -Result: - -```html -image list: -img1, img2, img3, img4 -``` - -### Filter out HTML tags (keeps only plain text) - -```javascript -var source = "<strong>hello</strong><script>alert(/xss/);</script>end"; -var html = xss(source, { - whiteList: [], // empty, means filter out all tags - stripIgnoreTag: true, // filter out all HTML not in the whilelist - stripIgnoreTagBody: ["script"] // the script tag is a special case, we need - // to filter out its content -}); - -console.log("text: %s", html); -``` - -Result: - -```html -text: helloend -``` - -## License - -```text -Copyright (c) 2012-2018 Zongmin Lei(雷宗民) <leizongmin@gmail.com> -http://ucdok.com - -The MIT License - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -"Software"), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -``` diff --git a/node_modules/xss/README.zh.md b/node_modules/xss/README.zh.md deleted file mode 100644 index 2483d4d..0000000 --- a/node_modules/xss/README.zh.md +++ /dev/null @@ -1,485 +0,0 @@ -[![NPM version][npm-image]][npm-url] -[![build status][travis-image]][travis-url] -[![Test coverage][coveralls-image]][coveralls-url] -[![David deps][david-image]][david-url] -[![node version][node-image]][node-url] -[![npm download][download-image]][download-url] -[![npm license][license-image]][download-url] - -[npm-image]: https://img.shields.io/npm/v/xss.svg?style=flat-square -[npm-url]: https://npmjs.org/package/xss -[travis-image]: https://img.shields.io/travis/leizongmin/js-xss.svg?style=flat-square -[travis-url]: https://travis-ci.org/leizongmin/js-xss -[coveralls-image]: https://img.shields.io/coveralls/leizongmin/js-xss.svg?style=flat-square -[coveralls-url]: https://coveralls.io/r/leizongmin/js-xss?branch=master -[david-image]: https://img.shields.io/david/leizongmin/js-xss.svg?style=flat-square -[david-url]: https://david-dm.org/leizongmin/js-xss -[node-image]: https://img.shields.io/badge/node.js-%3E=_0.10-green.svg?style=flat-square -[node-url]: http://nodejs.org/download/ -[download-image]: https://img.shields.io/npm/dm/xss.svg?style=flat-square -[download-url]: https://npmjs.org/package/xss -[license-image]: https://img.shields.io/npm/l/xss.svg - -# 根据白名单过滤 HTML(防止 XSS 攻击) - - - ---- - -`xss`是一个用于对用户输入的内容进行过滤,以避免遭受 XSS 攻击的模块([什么是 XSS 攻击?](http://baike.baidu.com/view/2161269.htm))。主要用于论坛、博客、网上商店等等一些可允许用户录入页面排版、格式控制相关的 HTML 的场景,`xss`模块通过白名单来控制允许的标签及相关的标签属性,另外还提供了一系列的接口以便用户扩展,比其他同类模块更为灵活。 - -**项目主页:** http://jsxss.com - -**在线测试:** http://jsxss.com/zh/try.html - ---- - -## 特性 - -* 白名单控制允许的 HTML 标签及各标签的属性 -* 通过自定义处理函数,可对任意标签及其属性进行处理 - -## 参考资料 - -* [XSS 与字符编码的那些事儿 ---科普文](http://drops.wooyun.org/tips/689) -* [腾讯实例教程:那些年我们一起学 XSS](http://www.wooyun.org/whitehats/%E5%BF%83%E4%BC%A4%E7%9A%84%E7%98%A6%E5%AD%90) -* [mXSS 攻击的成因及常见种类](http://drops.wooyun.org/tips/956) -* [XSS Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet) -* [Data URI scheme](http://en.wikipedia.org/wiki/Data_URI_scheme) -* [XSS with Data URI Scheme](http://hi.baidu.com/badzzzz/item/bdbafe83144619c199255f7b) - -## 性能(仅作参考) - -* xss 模块:8.2 MB/s -* validator@0.3.7 模块的 xss()函数:4.4 MB/s - -测试代码参考 benchmark 目录 - -## 安装 - -### NPM - -```bash -npm install xss -``` - -### Bower - -```bash -bower install xss -``` - -或者 - -```bash -bower install https://github.com/leizongmin/js-xss.git -``` - -## 使用方法 - -### 在 Node.js 中使用 - -```javascript -var xss = require("xss"); -var html = xss('<script>alert("xss");</script>'); -console.log(html); -``` - -### 在浏览器端使用 - -Shim 模式(参考文件 `test/test.html`): - -```html -<script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script> -<script> -// 使用函数名 filterXSS,用法一样 -var html = filterXSS('<script>alert("xss");</scr' + 'ipt>'); -alert(html); -</script> -``` - -AMD 模式(参考文件 `test/test_amd.html`): - -```html -<script> -require.config({ - baseUrl: './', - paths: { - xss: 'https://rawgit.com/leizongmin/js-xss/master/dist/xss.js' - }, - shim: { - xss: {exports: 'filterXSS'} - } -}) -require(['xss'], function (xss) { - var html = xss('<script>alert("xss");</scr' + 'ipt>'); - alert(html); -}); -</script> -``` - -**说明:请勿将 URL https://rawgit.com/leizongmin/js-xss/master/dist/xss.js 用于生产环境。** - -### 使用命令行工具来对文件进行 XSS 处理 - -### 处理文件 - -可通过内置的 `xss` 命令来对输入的文件进行 XSS 处理。使用方法: - -```bash -xss -i <源文件> -o <目标文件> -``` - -例: - -```bash -xss -i origin.html -o target.html -``` - -### 在线测试 - -执行以下命令,可在命令行中输入 HTML 代码,并看到过滤后的代码: - -```bash -xss -t -``` - -详细命令行参数说明,请输入 `$ xss -h` 来查看。 - -## 自定义过滤规则 - -在调用 `xss()` 函数进行过滤时,可通过第二个参数来设置自定义规则: - -```javascript -options = {}; // 自定义规则 -html = xss('<script>alert("xss");</script>', options); -``` - -如果不想每次都传入一个 `options` 参数,可以创建一个 `FilterXSS` 实例(使用这种方法速度更快): - -``` -options = {}; // 自定义规则 -myxss = new xss.FilterXSS(options); -// 以后直接调用 myxss.process() 来处理即可 -html = myxss.process('<script>alert("xss");</script>'); -``` - -`options` 参数的详细说明见下文。 - -### 白名单 - -通过 `whiteList` 来指定,格式为:`{'标签名': ['属性1', '属性2']}`。不在白名单上的标签将被过滤,不在白名单上的属性也会被过滤。以下是示例: - -```javascript -// 只允许a标签,该标签只允许href, title, target这三个属性 -var options = { - whiteList: { - a: ["href", "title", "target"] - } -}; -// 使用以上配置后,下面的HTML -// <a href="#" onclick="hello()"><i>大家好</i></a> -// 将被过滤为 -// <a href="#">大家好</a> -``` - -默认白名单参考 `xss.whiteList`。 - -### 自定义匹配到标签时的处理方法 - -通过 `onTag` 来指定相应的处理函数。以下是详细说明: - -```javascript -function onTag(tag, html, options) { - // tag是当前的标签名称,比如<a>标签,则tag的值是'a' - // html是该标签的HTML,比如<a>标签,则html的值是'<a>' - // options是一些附加的信息,具体如下: - // isWhite boolean类型,表示该标签是否在白名单上 - // isClosing boolean类型,表示该标签是否为闭合标签,比如</a>时为true - // position integer类型,表示当前标签在输出的结果中的起始位置 - // sourcePosition integer类型,表示当前标签在原HTML中的起始位置 - // 如果返回一个字符串,则当前标签将被替换为该字符串 - // 如果不返回任何值,则使用默认的处理方法: - // 在白名单上: 通过onTagAttr来过滤属性,详见下文 - // 不在白名单上:通过onIgnoreTag指定,详见下文 -} -``` - -### 自定义匹配到标签的属性时的处理方法 - -通过 `onTagAttr` 来指定相应的处理函数。以下是详细说明: - -```javascript -function onTagAttr(tag, name, value, isWhiteAttr) { - // tag是当前的标签名称,比如<a>标签,则tag的值是'a' - // name是当前属性的名称,比如href="#",则name的值是'href' - // value是当前属性的值,比如href="#",则value的值是'#' - // isWhiteAttr是否为白名单上的属性 - // 如果返回一个字符串,则当前属性值将被替换为该字符串 - // 如果不返回任何值,则使用默认的处理方法 - // 在白名单上: 调用safeAttrValue来过滤属性值,并输出该属性,详见下文 - // 不在白名单上:通过onIgnoreTagAttr指定,详见下文 -} -``` - -### 自定义匹配到不在白名单上的标签时的处理方法 - -通过 `onIgnoreTag` 来指定相应的处理函数。以下是详细说明: - -```javascript -function onIgnoreTag(tag, html, options) { - // 参数说明与onTag相同 - // 如果返回一个字符串,则当前标签将被替换为该字符串 - // 如果不返回任何值,则使用默认的处理方法(通过escape指定,详见下文) -} -``` - -### 自定义匹配到不在白名单上的属性时的处理方法 - -通过 `onIgnoreTagAttr` 来指定相应的处理函数。以下是详细说明: - -```javascript -function onIgnoreTagAttr(tag, name, value, isWhiteAttr) { - // 参数说明与onTagAttr相同 - // 如果返回一个字符串,则当前属性值将被替换为该字符串 - // 如果不返回任何值,则使用默认的处理方法(删除该属) -} -``` - -### 自定义 HTML 转义函数 - -通过 `escapeHtml` 来指定相应的处理函数。以下是默认代码 **(不建议修改)** : - -```javascript -function escapeHtml(html) { - return html.replace(/</g, "<").replace(/>/g, ">"); -} -``` - -### 自定义标签属性值的转义函数 - -通过 `safeAttrValue` 来指定相应的处理函数。以下是详细说明: - -```javascript -function safeAttrValue(tag, name, value) { - // 参数说明与onTagAttr相同(没有options参数) - // 返回一个字符串表示该属性值 -} -``` - -### 自定义 CSS 过滤器 - -如果配置中允许了标签的 `style` 属性,则它的值会通过[cssfilter](https://github.com/leizongmin/js-css-filter) 模块处理。 -`cssfilter` 模块包含了一个默认的 CSS 白名单,你可以通过以下的方式配置: - -```javascript -myxss = new xss.FilterXSS({ - css: { - whiteList: { - position: /^fixed|relative$/, - top: true, - left: true - } - } -}); -html = myxss.process('<script>alert("xss");</script>'); -``` - -如果不想使用 CSS 过滤器来处理 `style` 属性的内容,可指定 `css` 选项的值为 `false`: - -```javascript -myxss = new xss.FilterXSS({ - css: false -}); -``` - -要获取更多的帮助信息可看这里:https://github.com/leizongmin/js-css-filter - -### 快捷配置 - -#### 去掉不在白名单上的标签 - -通过 `stripIgnoreTag` 来设置: - -* `true`:去掉不在白名单上的标签 -* `false`:(默认),使用配置的`escape`函数对该标签进行转义 - -示例: - -当设置 `stripIgnoreTag = true`时,以下代码 - -```html -code:<script>alert(/xss/);</script> -``` - -过滤后将输出 - -```html -code:alert(/xss/); -``` - -#### 去掉不在白名单上的标签及标签体 - -通过 `stripIgnoreTagBody` 来设置: - -* `false|null|undefined`:(默认),不特殊处理 -* `'*'|true`:去掉所有不在白名单上的标签 -* `['tag1', 'tag2']`:仅去掉指定的不在白名单上的标签 - -示例: - -当设置 `stripIgnoreTagBody = ['script']`时,以下代码 - -```html -code:<script>alert(/xss/);</script> -``` - -过滤后将输出 - -```html -code: -``` - -#### 去掉 HTML 备注 - -通过 `allowCommentTag` 来设置: - -* `true`:不处理 -* `false`:(默认),自动去掉 HTML 中的备注 - -示例: - -当设置 `allowCommentTag = false` 时,以下代码 - -```html -code:<!-- something --> END -``` - -过滤后将输出 - -```html -code: END -``` - -## 应用实例 - -### 允许标签以 data-开头的属性 - -```javascript -var source = '<div a="1" b="2" data-a="3" data-b="4">hello</div>'; -var html = xss(source, { - onIgnoreTagAttr: function(tag, name, value, isWhiteAttr) { - if (name.substr(0, 5) === "data-") { - // 通过内置的escapeAttrValue函数来对属性值进行转义 - return name + '="' + xss.escapeAttrValue(value) + '"'; - } - } -}); - -console.log("%s\nconvert to:\n%s", source, html); -``` - -运行结果: - -```html -<div a="1" b="2" data-a="3" data-b="4">hello</div> -convert to: -<div data-a="3" data-b="4">hello</div> -``` - -### 允许名称以 x-开头的标签 - -```javascript -var source = "<x><x-1>he<x-2 checked></x-2>wwww</x-1><a>"; -var html = xss(source, { - onIgnoreTag: function(tag, html, options) { - if (tag.substr(0, 2) === "x-") { - // 不对其属性列表进行过滤 - return html; - } - } -}); - -console.log("%s\nconvert to:\n%s", source, html); -``` - -运行结果: - -```html -<x><x-1>he<x-2 checked></x-2>wwww</x-1><a> -convert to: -<x><x-1>he<x-2 checked></x-2>wwww</x-1><a> -``` - -### 分析 HTML 代码中的图片列表 - -```javascript -var source = - '<img src="img1">a<img src="img2">b<img src="img3">c<img src="img4">d'; -var list = []; -var html = xss(source, { - onTagAttr: function(tag, name, value, isWhiteAttr) { - if (tag === "img" && name === "src") { - // 使用内置的friendlyAttrValue函数来对属性值进行转义,可将<这类的实体标记转换成打印字符< - list.push(xss.friendlyAttrValue(value)); - } - // 不返回任何值,表示还是按照默认的方法处理 - } -}); - -console.log("image list:\n%s", list.join(", ")); -``` - -运行结果: - -```html -image list: -img1, img2, img3, img4 -``` - -### 去除 HTML 标签(只保留文本内容) - -```javascript -var source = "<strong>hello</strong><script>alert(/xss/);</script>end"; -var html = xss(source, { - whiteList: [], // 白名单为空,表示过滤所有标签 - stripIgnoreTag: true, // 过滤所有非白名单标签的HTML - stripIgnoreTagBody: ["script"] // script标签较特殊,需要过滤标签中间的内容 -}); - -console.log("text: %s", html); -``` - -运行结果: - -```html -text: helloend -``` - -## 授权协议 - -```text -Copyright (c) 2012-2018 Zongmin Lei(雷宗民) <leizongmin@gmail.com> -http://ucdok.com - -The MIT License - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -"Software"), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -``` diff --git a/node_modules/xss/bin/xss b/node_modules/xss/bin/xss deleted file mode 100755 index 35e902f..0000000 --- a/node_modules/xss/bin/xss +++ /dev/null @@ -1,67 +0,0 @@ -#!/usr/bin/env node - -/** - * 命令行工具 - * - * @author Zongmin Lei<leizongmin@gmail.com> - */ - -var fs = require('fs'); -var path = require('path'); -var program = require('commander'); -var xss = require('../'); -var packageInfo = require('../package.json'); - -program - .version(packageInfo.version) - .option('-t, --test', 'active test') - .option('-i, --input <input_file>', 'input file name') - .option('-o, --output <output_file>', 'output filename') - .option('-c, --config <config_file>', 'load custom config') - .option('-s, --strip-ignore-tag', 'set stripIgnoreTag=true') - .option('-b, --strip-ignore-tag-body', 'set stripIgnoreTagBody=true'); - -program.on('--help', function () { - console.log(' Examples:'); - console.log(''); - console.log(' $ xss -t'); - console.log(' $ xss -i origin.html'); - console.log(' $ xss -i origin.html -o targer.html'); - console.log(' $ xss -i origin.html -c config.js'); - console.log(' $ xss -i origin.html -s'); - console.log(' $ xss -i origin.html -s -b'); - console.log(''); - console.log(' For more details, please see: https://npmjs.org/package/xss') -}); - -program.parse(process.argv); - -if (program.test) { - require('../lib/cli'); - return; -} - -var config = {}; -if (program.config) { - config = require(path.resolve(program.config)); -} -if (program.input) { - var input = fs.readFileSync(program.input, 'utf8'); -} else { - program.help(); -} - -if (program['strip-ignore-tag']) { - config.stripIgnoreTag = true; -} -if (program['strip-ignore-tag-body']) { - config.stripIgnoreTagBody = true; -} - -var output = xss(input, config); - -if (program.output) { - fs.writeFileSync(program.output, output); -} else { - console.log(output); -} diff --git a/node_modules/xss/dist/test.html b/node_modules/xss/dist/test.html deleted file mode 100644 index cae361e..0000000 --- a/node_modules/xss/dist/test.html +++ /dev/null @@ -1,15 +0,0 @@ -<!doctype html> -<html> -<head> - <title>测试</title> - <meta charset="utf8"> -</head> -<body> - <pre id="result"></pre> -</body> -</html> -<script src="xss.js"></script> -<script> -var code = '<script>alert("xss");</' + 'script>'; -document.querySelector('#result').innerText = code + '\n被转换成了\n' + filterXSS(code); -</script>
\ No newline at end of file diff --git a/node_modules/xss/dist/xss.min.js b/node_modules/xss/dist/xss.min.js deleted file mode 100644 index b2c3878..0000000 --- a/node_modules/xss/dist/xss.min.js +++ /dev/null @@ -1 +0,0 @@ -(function e(t,n,r){function s(o,u){if(!n[o]){if(!t[o]){var a=typeof require=="function"&&require;if(!u&&a)return a(o,!0);if(i)return i(o,!0);var f=new Error("Cannot find module '"+o+"'");throw f.code="MODULE_NOT_FOUND",f}var l=n[o]={exports:{}};t[o][0].call(l.exports,function(e){var n=t[o][1][e];return s(n?n:e)},l,l.exports,e,t,n,r)}return n[o].exports}var i=typeof require=="function"&&require;for(var o=0;o<r.length;o++)s(r[o]);return s})({1:[function(require,module,exports){var FilterCSS=require("cssfilter").FilterCSS;var getDefaultCSSWhiteList=require("cssfilter").getDefaultWhiteList;var _=require("./util");function getDefaultWhiteList(){return{a:["target","href","title"],abbr:["title"],address:[],area:["shape","coords","href","alt"],article:[],aside:[],audio:["autoplay","controls","loop","preload","src"],b:[],bdi:["dir"],bdo:["dir"],big:[],blockquote:["cite"],br:[],caption:[],center:[],cite:[],code:[],col:["align","valign","span","width"],colgroup:["align","valign","span","width"],dd:[],del:["datetime"],details:["open"],div:[],dl:[],dt:[],em:[],font:["color","size","face"],footer:[],h1:[],h2:[],h3:[],h4:[],h5:[],h6:[],header:[],hr:[],i:[],img:["src","alt","title","width","height"],ins:["datetime"],li:[],mark:[],nav:[],ol:[],p:[],pre:[],s:[],section:[],small:[],span:[],sub:[],sup:[],strong:[],table:["width","border","align","valign"],tbody:["align","valign"],td:["width","rowspan","colspan","align","valign"],tfoot:["align","valign"],th:["width","rowspan","colspan","align","valign"],thead:["align","valign"],tr:["rowspan","align","valign"],tt:[],u:[],ul:[],video:["autoplay","controls","loop","preload","src","height","width"]}}var defaultCSSFilter=new FilterCSS;function onTag(tag,html,options){}function onIgnoreTag(tag,html,options){}function onTagAttr(tag,name,value){}function onIgnoreTagAttr(tag,name,value){}function escapeHtml(html){return html.replace(REGEXP_LT,"<").replace(REGEXP_GT,">")}function safeAttrValue(tag,name,value,cssFilter){value=friendlyAttrValue(value);if(name==="href"||name==="src"){value=_.trim(value);if(value==="#")return"#";if(!(value.substr(0,7)==="http://"||value.substr(0,8)==="https://"||value.substr(0,7)==="mailto:"||value.substr(0,4)==="tel:"||value[0]==="#"||value[0]==="/")){return""}}else if(name==="background"){REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex=0;if(REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)){return""}}else if(name==="style"){REGEXP_DEFAULT_ON_TAG_ATTR_7.lastIndex=0;if(REGEXP_DEFAULT_ON_TAG_ATTR_7.test(value)){return""}REGEXP_DEFAULT_ON_TAG_ATTR_8.lastIndex=0;if(REGEXP_DEFAULT_ON_TAG_ATTR_8.test(value)){REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex=0;if(REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)){return""}}if(cssFilter!==false){cssFilter=cssFilter||defaultCSSFilter;value=cssFilter.process(value)}}value=escapeAttrValue(value);return value}var REGEXP_LT=/</g;var REGEXP_GT=/>/g;var REGEXP_QUOTE=/"/g;var REGEXP_QUOTE_2=/"/g;var REGEXP_ATTR_VALUE_1=/&#([a-zA-Z0-9]*);?/gim;var REGEXP_ATTR_VALUE_COLON=/:?/gim;var REGEXP_ATTR_VALUE_NEWLINE=/&newline;?/gim;var REGEXP_DEFAULT_ON_TAG_ATTR_3=/\/\*|\*\//gm;var REGEXP_DEFAULT_ON_TAG_ATTR_4=/((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a)\:/gi;var REGEXP_DEFAULT_ON_TAG_ATTR_5=/^[\s"'`]*(d\s*a\s*t\s*a\s*)\:/gi;var REGEXP_DEFAULT_ON_TAG_ATTR_6=/^[\s"'`]*(d\s*a\s*t\s*a\s*)\:\s*image\//gi;var REGEXP_DEFAULT_ON_TAG_ATTR_7=/e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n\s*\(.*/gi;var REGEXP_DEFAULT_ON_TAG_ATTR_8=/u\s*r\s*l\s*\(.*/gi;function escapeQuote(str){return str.replace(REGEXP_QUOTE,""")}function unescapeQuote(str){return str.replace(REGEXP_QUOTE_2,'"')}function escapeHtmlEntities(str){return str.replace(REGEXP_ATTR_VALUE_1,function replaceUnicode(str,code){return code[0]==="x"||code[0]==="X"?String.fromCharCode(parseInt(code.substr(1),16)):String.fromCharCode(parseInt(code,10))})}function escapeDangerHtml5Entities(str){return str.replace(REGEXP_ATTR_VALUE_COLON,":").replace(REGEXP_ATTR_VALUE_NEWLINE," ")}function clearNonPrintableCharacter(str){var str2="";for(var i=0,len=str.length;i<len;i++){str2+=str.charCodeAt(i)<32?" ":str.charAt(i)}return _.trim(str2)}function friendlyAttrValue(str){str=unescapeQuote(str);str=escapeHtmlEntities(str);str=escapeDangerHtml5Entities(str);str=clearNonPrintableCharacter(str);return str}function escapeAttrValue(str){str=escapeQuote(str);str=escapeHtml(str);return str}function onIgnoreTagStripAll(){return""}function StripTagBody(tags,next){if(typeof next!=="function"){next=function(){}}var isRemoveAllTag=!Array.isArray(tags);function isRemoveTag(tag){if(isRemoveAllTag)return true;return _.indexOf(tags,tag)!==-1}var removeList=[];var posStart=false;return{onIgnoreTag:function(tag,html,options){if(isRemoveTag(tag)){if(options.isClosing){var ret="[/removed]";var end=options.position+ret.length;removeList.push([posStart!==false?posStart:options.position,end]);posStart=false;return ret}else{if(!posStart){posStart=options.position}return"[removed]"}}else{return next(tag,html,options)}},remove:function(html){var rethtml="";var lastPos=0;_.forEach(removeList,function(pos){rethtml+=html.slice(lastPos,pos[0]);lastPos=pos[1]});rethtml+=html.slice(lastPos);return rethtml}}}function stripCommentTag(html){return html.replace(STRIP_COMMENT_TAG_REGEXP,"")}var STRIP_COMMENT_TAG_REGEXP=/<!--[\s\S]*?-->/g;function stripBlankChar(html){var chars=html.split("");chars=chars.filter(function(char){var c=char.charCodeAt(0);if(c===127)return false;if(c<=31){if(c===10||c===13)return true;return false}return true});return chars.join("")}exports.whiteList=getDefaultWhiteList();exports.getDefaultWhiteList=getDefaultWhiteList;exports.onTag=onTag;exports.onIgnoreTag=onIgnoreTag;exports.onTagAttr=onTagAttr;exports.onIgnoreTagAttr=onIgnoreTagAttr;exports.safeAttrValue=safeAttrValue;exports.escapeHtml=escapeHtml;exports.escapeQuote=escapeQuote;exports.unescapeQuote=unescapeQuote;exports.escapeHtmlEntities=escapeHtmlEntities;exports.escapeDangerHtml5Entities=escapeDangerHtml5Entities;exports.clearNonPrintableCharacter=clearNonPrintableCharacter;exports.friendlyAttrValue=friendlyAttrValue;exports.escapeAttrValue=escapeAttrValue;exports.onIgnoreTagStripAll=onIgnoreTagStripAll;exports.StripTagBody=StripTagBody;exports.stripCommentTag=stripCommentTag;exports.stripBlankChar=stripBlankChar;exports.cssFilter=defaultCSSFilter;exports.getDefaultCSSWhiteList=getDefaultCSSWhiteList},{"./util":4,cssfilter:8}],2:[function(require,module,exports){var DEFAULT=require("./default");var parser=require("./parser");var FilterXSS=require("./xss");function filterXSS(html,options){var xss=new FilterXSS(options);return xss.process(html)}exports=module.exports=filterXSS;exports.filterXSS=filterXSS;exports.FilterXSS=FilterXSS;for(var i in DEFAULT)exports[i]=DEFAULT[i];for(var i in parser)exports[i]=parser[i];if(typeof window!=="undefined"){window.filterXSS=module.exports}function isWorkerEnv(){return typeof self!=="undefined"&&typeof DedicatedWorkerGlobalScope!=="undefined"&&self instanceof DedicatedWorkerGlobalScope}if(isWorkerEnv()){self.filterXSS=module.exports}},{"./default":1,"./parser":3,"./xss":5}],3:[function(require,module,exports){var _=require("./util");function getTagName(html){var i=_.spaceIndex(html);if(i===-1){var tagName=html.slice(1,-1)}else{var tagName=html.slice(1,i+1)}tagName=_.trim(tagName).toLowerCase();if(tagName.slice(0,1)==="/")tagName=tagName.slice(1);if(tagName.slice(-1)==="/")tagName=tagName.slice(0,-1);return tagName}function isClosing(html){return html.slice(0,2)==="</"}function parseTag(html,onTag,escapeHtml){"user strict";var rethtml="";var lastPos=0;var tagStart=false;var quoteStart=false;var currentPos=0;var len=html.length;var currentTagName="";var currentHtml="";for(currentPos=0;currentPos<len;currentPos++){var c=html.charAt(currentPos);if(tagStart===false){if(c==="<"){tagStart=currentPos;continue}}else{if(quoteStart===false){if(c==="<"){rethtml+=escapeHtml(html.slice(lastPos,currentPos));tagStart=currentPos;lastPos=currentPos;continue}if(c===">"){rethtml+=escapeHtml(html.slice(lastPos,tagStart));currentHtml=html.slice(tagStart,currentPos+1);currentTagName=getTagName(currentHtml);rethtml+=onTag(tagStart,rethtml.length,currentTagName,currentHtml,isClosing(currentHtml));lastPos=currentPos+1;tagStart=false;continue}if((c==='"'||c==="'")&&html.charAt(currentPos-1)==="="){quoteStart=c;continue}}else{if(c===quoteStart){quoteStart=false;continue}}}}if(lastPos<html.length){rethtml+=escapeHtml(html.substr(lastPos))}return rethtml}var REGEXP_ILLEGAL_ATTR_NAME=/[^a-zA-Z0-9_:\.\-]/gim;function parseAttr(html,onAttr){"user strict";var lastPos=0;var retAttrs=[];var tmpName=false;var len=html.length;function addAttr(name,value){name=_.trim(name);name=name.replace(REGEXP_ILLEGAL_ATTR_NAME,"").toLowerCase();if(name.length<1)return;var ret=onAttr(name,value||"");if(ret)retAttrs.push(ret)}for(var i=0;i<len;i++){var c=html.charAt(i);var v,j;if(tmpName===false&&c==="="){tmpName=html.slice(lastPos,i);lastPos=i+1;continue}if(tmpName!==false){if(i===lastPos&&(c==='"'||c==="'")&&html.charAt(i-1)==="="){j=html.indexOf(c,i+1);if(j===-1){break}else{v=_.trim(html.slice(lastPos+1,j));addAttr(tmpName,v);tmpName=false;i=j;lastPos=i+1;continue}}}if(/\s|\n|\t/.test(c)){html=html.replace(/\s|\n|\t/g," ");if(tmpName===false){j=findNextEqual(html,i);if(j===-1){v=_.trim(html.slice(lastPos,i));addAttr(v);tmpName=false;lastPos=i+1;continue}else{i=j-1;continue}}else{j=findBeforeEqual(html,i-1);if(j===-1){v=_.trim(html.slice(lastPos,i));v=stripQuoteWrap(v);addAttr(tmpName,v);tmpName=false;lastPos=i+1;continue}else{continue}}}}if(lastPos<html.length){if(tmpName===false){addAttr(html.slice(lastPos))}else{addAttr(tmpName,stripQuoteWrap(_.trim(html.slice(lastPos))))}}return _.trim(retAttrs.join(" "))}function findNextEqual(str,i){for(;i<str.length;i++){var c=str[i];if(c===" ")continue;if(c==="=")return i;return-1}}function findBeforeEqual(str,i){for(;i>0;i--){var c=str[i];if(c===" ")continue;if(c==="=")return i;return-1}}function isQuoteWrapString(text){if(text[0]==='"'&&text[text.length-1]==='"'||text[0]==="'"&&text[text.length-1]==="'"){return true}else{return false}}function stripQuoteWrap(text){if(isQuoteWrapString(text)){return text.substr(1,text.length-2)}else{return text}}exports.parseTag=parseTag;exports.parseAttr=parseAttr},{"./util":4}],4:[function(require,module,exports){module.exports={indexOf:function(arr,item){var i,j;if(Array.prototype.indexOf){return arr.indexOf(item)}for(i=0,j=arr.length;i<j;i++){if(arr[i]===item){return i}}return-1},forEach:function(arr,fn,scope){var i,j;if(Array.prototype.forEach){return arr.forEach(fn,scope)}for(i=0,j=arr.length;i<j;i++){fn.call(scope,arr[i],i,arr)}},trim:function(str){if(String.prototype.trim){return str.trim()}return str.replace(/(^\s*)|(\s*$)/g,"")},spaceIndex:function(str){var reg=/\s|\n|\t/;var match=reg.exec(str);return match?match.index:-1}}},{}],5:[function(require,module,exports){var FilterCSS=require("cssfilter").FilterCSS;var DEFAULT=require("./default");var parser=require("./parser");var parseTag=parser.parseTag;var parseAttr=parser.parseAttr;var _=require("./util");function isNull(obj){return obj===undefined||obj===null}function getAttrs(html){var i=_.spaceIndex(html);if(i===-1){return{html:"",closing:html[html.length-2]==="/"}}html=_.trim(html.slice(i+1,-1));var isClosing=html[html.length-1]==="/";if(isClosing)html=_.trim(html.slice(0,-1));return{html:html,closing:isClosing}}function shallowCopyObject(obj){var ret={};for(var i in obj){ret[i]=obj[i]}return ret}function FilterXSS(options){options=shallowCopyObject(options||{});if(options.stripIgnoreTag){if(options.onIgnoreTag){console.error('Notes: cannot use these two options "stripIgnoreTag" and "onIgnoreTag" at the same time')}options.onIgnoreTag=DEFAULT.onIgnoreTagStripAll}options.whiteList=options.whiteList||DEFAULT.whiteList;options.onTag=options.onTag||DEFAULT.onTag;options.onTagAttr=options.onTagAttr||DEFAULT.onTagAttr;options.onIgnoreTag=options.onIgnoreTag||DEFAULT.onIgnoreTag;options.onIgnoreTagAttr=options.onIgnoreTagAttr||DEFAULT.onIgnoreTagAttr;options.safeAttrValue=options.safeAttrValue||DEFAULT.safeAttrValue;options.escapeHtml=options.escapeHtml||DEFAULT.escapeHtml;this.options=options;if(options.css===false){this.cssFilter=false}else{options.css=options.css||{};this.cssFilter=new FilterCSS(options.css)}}FilterXSS.prototype.process=function(html){html=html||"";html=html.toString();if(!html)return"";var me=this;var options=me.options;var whiteList=options.whiteList;var onTag=options.onTag;var onIgnoreTag=options.onIgnoreTag;var onTagAttr=options.onTagAttr;var onIgnoreTagAttr=options.onIgnoreTagAttr;var safeAttrValue=options.safeAttrValue;var escapeHtml=options.escapeHtml;var cssFilter=me.cssFilter;if(options.stripBlankChar){html=DEFAULT.stripBlankChar(html)}if(!options.allowCommentTag){html=DEFAULT.stripCommentTag(html)}var stripIgnoreTagBody=false;if(options.stripIgnoreTagBody){var stripIgnoreTagBody=DEFAULT.StripTagBody(options.stripIgnoreTagBody,onIgnoreTag);onIgnoreTag=stripIgnoreTagBody.onIgnoreTag}var retHtml=parseTag(html,function(sourcePosition,position,tag,html,isClosing){var info={sourcePosition:sourcePosition,position:position,isClosing:isClosing,isWhite:whiteList.hasOwnProperty(tag)};var ret=onTag(tag,html,info);if(!isNull(ret))return ret;if(info.isWhite){if(info.isClosing){return"</"+tag+">"}var attrs=getAttrs(html);var whiteAttrList=whiteList[tag];var attrsHtml=parseAttr(attrs.html,function(name,value){var isWhiteAttr=_.indexOf(whiteAttrList,name)!==-1;var ret=onTagAttr(tag,name,value,isWhiteAttr);if(!isNull(ret))return ret;if(isWhiteAttr){value=safeAttrValue(tag,name,value,cssFilter);if(value){return name+'="'+value+'"'}else{return name}}else{var ret=onIgnoreTagAttr(tag,name,value,isWhiteAttr);if(!isNull(ret))return ret;return}});var html="<"+tag;if(attrsHtml)html+=" "+attrsHtml;if(attrs.closing)html+=" /";html+=">";return html}else{var ret=onIgnoreTag(tag,html,info);if(!isNull(ret))return ret;return escapeHtml(html)}},escapeHtml);if(stripIgnoreTagBody){retHtml=stripIgnoreTagBody.remove(retHtml)}return retHtml};module.exports=FilterXSS},{"./default":1,"./parser":3,"./util":4,cssfilter:8}],6:[function(require,module,exports){var DEFAULT=require("./default");var parseStyle=require("./parser");var _=require("./util");function isNull(obj){return obj===undefined||obj===null}function shallowCopyObject(obj){var ret={};for(var i in obj){ret[i]=obj[i]}return ret}function FilterCSS(options){options=shallowCopyObject(options||{});options.whiteList=options.whiteList||DEFAULT.whiteList;options.onAttr=options.onAttr||DEFAULT.onAttr;options.onIgnoreAttr=options.onIgnoreAttr||DEFAULT.onIgnoreAttr;options.safeAttrValue=options.safeAttrValue||DEFAULT.safeAttrValue;this.options=options}FilterCSS.prototype.process=function(css){css=css||"";css=css.toString();if(!css)return"";var me=this;var options=me.options;var whiteList=options.whiteList;var onAttr=options.onAttr;var onIgnoreAttr=options.onIgnoreAttr;var safeAttrValue=options.safeAttrValue;var retCSS=parseStyle(css,function(sourcePosition,position,name,value,source){var check=whiteList[name];var isWhite=false;if(check===true)isWhite=check;else if(typeof check==="function")isWhite=check(value);else if(check instanceof RegExp)isWhite=check.test(value);if(isWhite!==true)isWhite=false;value=safeAttrValue(name,value);if(!value)return;var opts={position:position,sourcePosition:sourcePosition,source:source,isWhite:isWhite};if(isWhite){var ret=onAttr(name,value,opts);if(isNull(ret)){return name+":"+value}else{return ret}}else{var ret=onIgnoreAttr(name,value,opts);if(!isNull(ret)){return ret}}});return retCSS};module.exports=FilterCSS},{"./default":7,"./parser":9,"./util":10}],7:[function(require,module,exports){function getDefaultWhiteList(){var whiteList={};whiteList["align-content"]=false;whiteList["align-items"]=false;whiteList["align-self"]=false;whiteList["alignment-adjust"]=false;whiteList["alignment-baseline"]=false;whiteList["all"]=false;whiteList["anchor-point"]=false;whiteList["animation"]=false;whiteList["animation-delay"]=false;whiteList["animation-direction"]=false;whiteList["animation-duration"]=false;whiteList["animation-fill-mode"]=false;whiteList["animation-iteration-count"]=false;whiteList["animation-name"]=false;whiteList["animation-play-state"]=false;whiteList["animation-timing-function"]=false;whiteList["azimuth"]=false;whiteList["backface-visibility"]=false;whiteList["background"]=true;whiteList["background-attachment"]=true;whiteList["background-clip"]=true;whiteList["background-color"]=true;whiteList["background-image"]=true;whiteList["background-origin"]=true;whiteList["background-position"]=true;whiteList["background-repeat"]=true;whiteList["background-size"]=true;whiteList["baseline-shift"]=false;whiteList["binding"]=false;whiteList["bleed"]=false;whiteList["bookmark-label"]=false;whiteList["bookmark-level"]=false;whiteList["bookmark-state"]=false;whiteList["border"]=true;whiteList["border-bottom"]=true;whiteList["border-bottom-color"]=true;whiteList["border-bottom-left-radius"]=true;whiteList["border-bottom-right-radius"]=true;whiteList["border-bottom-style"]=true;whiteList["border-bottom-width"]=true;whiteList["border-collapse"]=true;whiteList["border-color"]=true;whiteList["border-image"]=true;whiteList["border-image-outset"]=true;whiteList["border-image-repeat"]=true;whiteList["border-image-slice"]=true;whiteList["border-image-source"]=true;whiteList["border-image-width"]=true;whiteList["border-left"]=true;whiteList["border-left-color"]=true;whiteList["border-left-style"]=true;whiteList["border-left-width"]=true;whiteList["border-radius"]=true;whiteList["border-right"]=true;whiteList["border-right-color"]=true;whiteList["border-right-style"]=true;whiteList["border-right-width"]=true;whiteList["border-spacing"]=true;whiteList["border-style"]=true;whiteList["border-top"]=true;whiteList["border-top-color"]=true;whiteList["border-top-left-radius"]=true;whiteList["border-top-right-radius"]=true;whiteList["border-top-style"]=true;whiteList["border-top-width"]=true;whiteList["border-width"]=true;whiteList["bottom"]=false;whiteList["box-decoration-break"]=true;whiteList["box-shadow"]=true;whiteList["box-sizing"]=true;whiteList["box-snap"]=true;whiteList["box-suppress"]=true;whiteList["break-after"]=true;whiteList["break-before"]=true;whiteList["break-inside"]=true;whiteList["caption-side"]=false;whiteList["chains"]=false;whiteList["clear"]=true;whiteList["clip"]=false;whiteList["clip-path"]=false;whiteList["clip-rule"]=false;whiteList["color"]=true;whiteList["color-interpolation-filters"]=true;whiteList["column-count"]=false;whiteList["column-fill"]=false;whiteList["column-gap"]=false;whiteList["column-rule"]=false;whiteList["column-rule-color"]=false;whiteList["column-rule-style"]=false;whiteList["column-rule-width"]=false;whiteList["column-span"]=false;whiteList["column-width"]=false;whiteList["columns"]=false;whiteList["contain"]=false;whiteList["content"]=false;whiteList["counter-increment"]=false;whiteList["counter-reset"]=false;whiteList["counter-set"]=false;whiteList["crop"]=false;whiteList["cue"]=false;whiteList["cue-after"]=false;whiteList["cue-before"]=false;whiteList["cursor"]=false;whiteList["direction"]=false;whiteList["display"]=true;whiteList["display-inside"]=true;whiteList["display-list"]=true;whiteList["display-outside"]=true;whiteList["dominant-baseline"]=false;whiteList["elevation"]=false;whiteList["empty-cells"]=false;whiteList["filter"]=false;whiteList["flex"]=false;whiteList["flex-basis"]=false;whiteList["flex-direction"]=false;whiteList["flex-flow"]=false;whiteList["flex-grow"]=false;whiteList["flex-shrink"]=false;whiteList["flex-wrap"]=false;whiteList["float"]=false;whiteList["float-offset"]=false;whiteList["flood-color"]=false;whiteList["flood-opacity"]=false;whiteList["flow-from"]=false;whiteList["flow-into"]=false;whiteList["font"]=true;whiteList["font-family"]=true;whiteList["font-feature-settings"]=true;whiteList["font-kerning"]=true;whiteList["font-language-override"]=true;whiteList["font-size"]=true;whiteList["font-size-adjust"]=true;whiteList["font-stretch"]=true;whiteList["font-style"]=true;whiteList["font-synthesis"]=true;whiteList["font-variant"]=true;whiteList["font-variant-alternates"]=true;whiteList["font-variant-caps"]=true;whiteList["font-variant-east-asian"]=true;whiteList["font-variant-ligatures"]=true;whiteList["font-variant-numeric"]=true;whiteList["font-variant-position"]=true;whiteList["font-weight"]=true;whiteList["grid"]=false;whiteList["grid-area"]=false;whiteList["grid-auto-columns"]=false;whiteList["grid-auto-flow"]=false;whiteList["grid-auto-rows"]=false;whiteList["grid-column"]=false;whiteList["grid-column-end"]=false;whiteList["grid-column-start"]=false;whiteList["grid-row"]=false;whiteList["grid-row-end"]=false;whiteList["grid-row-start"]=false;whiteList["grid-template"]=false;whiteList["grid-template-areas"]=false;whiteList["grid-template-columns"]=false;whiteList["grid-template-rows"]=false;whiteList["hanging-punctuation"]=false;whiteList["height"]=true;whiteList["hyphens"]=false;whiteList["icon"]=false;whiteList["image-orientation"]=false;whiteList["image-resolution"]=false;whiteList["ime-mode"]=false;whiteList["initial-letters"]=false;whiteList["inline-box-align"]=false;whiteList["justify-content"]=false;whiteList["justify-items"]=false;whiteList["justify-self"]=false;whiteList["left"]=false;whiteList["letter-spacing"]=true;whiteList["lighting-color"]=true;whiteList["line-box-contain"]=false;whiteList["line-break"]=false;whiteList["line-grid"]=false;whiteList["line-height"]=false;whiteList["line-snap"]=false;whiteList["line-stacking"]=false;whiteList["line-stacking-ruby"]=false;whiteList["line-stacking-shift"]=false;whiteList["line-stacking-strategy"]=false;whiteList["list-style"]=true;whiteList["list-style-image"]=true;whiteList["list-style-position"]=true;whiteList["list-style-type"]=true;whiteList["margin"]=true;whiteList["margin-bottom"]=true;whiteList["margin-left"]=true;whiteList["margin-right"]=true;whiteList["margin-top"]=true;whiteList["marker-offset"]=false;whiteList["marker-side"]=false;whiteList["marks"]=false;whiteList["mask"]=false;whiteList["mask-box"]=false;whiteList["mask-box-outset"]=false;whiteList["mask-box-repeat"]=false;whiteList["mask-box-slice"]=false;whiteList["mask-box-source"]=false;whiteList["mask-box-width"]=false;whiteList["mask-clip"]=false;whiteList["mask-image"]=false;whiteList["mask-origin"]=false;whiteList["mask-position"]=false;whiteList["mask-repeat"]=false;whiteList["mask-size"]=false;whiteList["mask-source-type"]=false;whiteList["mask-type"]=false;whiteList["max-height"]=true;whiteList["max-lines"]=false;whiteList["max-width"]=true;whiteList["min-height"]=true;whiteList["min-width"]=true;whiteList["move-to"]=false;whiteList["nav-down"]=false;whiteList["nav-index"]=false;whiteList["nav-left"]=false;whiteList["nav-right"]=false;whiteList["nav-up"]=false;whiteList["object-fit"]=false;whiteList["object-position"]=false;whiteList["opacity"]=false;whiteList["order"]=false;whiteList["orphans"]=false;whiteList["outline"]=false;whiteList["outline-color"]=false;whiteList["outline-offset"]=false;whiteList["outline-style"]=false;whiteList["outline-width"]=false;whiteList["overflow"]=false;whiteList["overflow-wrap"]=false;whiteList["overflow-x"]=false;whiteList["overflow-y"]=false;whiteList["padding"]=true;whiteList["padding-bottom"]=true;whiteList["padding-left"]=true;whiteList["padding-right"]=true;whiteList["padding-top"]=true;whiteList["page"]=false;whiteList["page-break-after"]=false;whiteList["page-break-before"]=false;whiteList["page-break-inside"]=false;whiteList["page-policy"]=false;whiteList["pause"]=false;whiteList["pause-after"]=false;whiteList["pause-before"]=false;whiteList["perspective"]=false;whiteList["perspective-origin"]=false;whiteList["pitch"]=false;whiteList["pitch-range"]=false;whiteList["play-during"]=false;whiteList["position"]=false;whiteList["presentation-level"]=false;whiteList["quotes"]=false;whiteList["region-fragment"]=false;whiteList["resize"]=false;whiteList["rest"]=false;whiteList["rest-after"]=false;whiteList["rest-before"]=false;whiteList["richness"]=false;whiteList["right"]=false;whiteList["rotation"]=false;whiteList["rotation-point"]=false;whiteList["ruby-align"]=false;whiteList["ruby-merge"]=false;whiteList["ruby-position"]=false;whiteList["shape-image-threshold"]=false;whiteList["shape-outside"]=false;whiteList["shape-margin"]=false;whiteList["size"]=false;whiteList["speak"]=false;whiteList["speak-as"]=false;whiteList["speak-header"]=false;whiteList["speak-numeral"]=false;whiteList["speak-punctuation"]=false;whiteList["speech-rate"]=false;whiteList["stress"]=false;whiteList["string-set"]=false;whiteList["tab-size"]=false;whiteList["table-layout"]=false;whiteList["text-align"]=true;whiteList["text-align-last"]=true;whiteList["text-combine-upright"]=true;whiteList["text-decoration"]=true;whiteList["text-decoration-color"]=true;whiteList["text-decoration-line"]=true;whiteList["text-decoration-skip"]=true;whiteList["text-decoration-style"]=true;whiteList["text-emphasis"]=true;whiteList["text-emphasis-color"]=true;whiteList["text-emphasis-position"]=true;whiteList["text-emphasis-style"]=true;whiteList["text-height"]=true;whiteList["text-indent"]=true;whiteList["text-justify"]=true;whiteList["text-orientation"]=true;whiteList["text-overflow"]=true;whiteList["text-shadow"]=true;whiteList["text-space-collapse"]=true;whiteList["text-transform"]=true;whiteList["text-underline-position"]=true;whiteList["text-wrap"]=true;whiteList["top"]=false;whiteList["transform"]=false;whiteList["transform-origin"]=false;whiteList["transform-style"]=false;whiteList["transition"]=false;whiteList["transition-delay"]=false;whiteList["transition-duration"]=false;whiteList["transition-property"]=false;whiteList["transition-timing-function"]=false;whiteList["unicode-bidi"]=false;whiteList["vertical-align"]=false;whiteList["visibility"]=false;whiteList["voice-balance"]=false;whiteList["voice-duration"]=false;whiteList["voice-family"]=false;whiteList["voice-pitch"]=false;whiteList["voice-range"]=false;whiteList["voice-rate"]=false;whiteList["voice-stress"]=false;whiteList["voice-volume"]=false;whiteList["volume"]=false;whiteList["white-space"]=false;whiteList["widows"]=false;whiteList["width"]=true;whiteList["will-change"]=false;whiteList["word-break"]=true;whiteList["word-spacing"]=true;whiteList["word-wrap"]=true;whiteList["wrap-flow"]=false;whiteList["wrap-through"]=false;whiteList["writing-mode"]=false;whiteList["z-index"]=false;return whiteList}function onAttr(name,value,options){}function onIgnoreAttr(name,value,options){}var REGEXP_URL_JAVASCRIPT=/javascript\s*\:/gim;function safeAttrValue(name,value){if(REGEXP_URL_JAVASCRIPT.test(value))return"";return value}exports.whiteList=getDefaultWhiteList();exports.getDefaultWhiteList=getDefaultWhiteList;exports.onAttr=onAttr;exports.onIgnoreAttr=onIgnoreAttr;exports.safeAttrValue=safeAttrValue},{}],8:[function(require,module,exports){var DEFAULT=require("./default");var FilterCSS=require("./css");function filterCSS(html,options){var xss=new FilterCSS(options);return xss.process(html)}exports=module.exports=filterCSS;exports.FilterCSS=FilterCSS;for(var i in DEFAULT)exports[i]=DEFAULT[i];if(typeof window!=="undefined"){window.filterCSS=module.exports}},{"./css":6,"./default":7}],9:[function(require,module,exports){var _=require("./util");function parseStyle(css,onAttr){css=_.trimRight(css);if(css[css.length-1]!==";")css+=";";var cssLength=css.length;var isParenthesisOpen=false;var lastPos=0;var i=0;var retCSS="";function addNewAttr(){if(!isParenthesisOpen){var source=_.trim(css.slice(lastPos,i));var j=source.indexOf(":");if(j!==-1){var name=_.trim(source.slice(0,j));var value=_.trim(source.slice(j+1));if(name){var ret=onAttr(lastPos,retCSS.length,name,value,source);if(ret)retCSS+=ret+"; "}}}lastPos=i+1}for(;i<cssLength;i++){var c=css[i];if(c==="/"&&css[i+1]==="*"){var j=css.indexOf("*/",i+2);if(j===-1)break;i=j+1;lastPos=i+1;isParenthesisOpen=false}else if(c==="("){isParenthesisOpen=true}else if(c===")"){isParenthesisOpen=false}else if(c===";"){if(isParenthesisOpen){}else{addNewAttr()}}else if(c==="\n"){addNewAttr()}}return _.trim(retCSS)}module.exports=parseStyle},{"./util":10}],10:[function(require,module,exports){module.exports={indexOf:function(arr,item){var i,j;if(Array.prototype.indexOf){return arr.indexOf(item)}for(i=0,j=arr.length;i<j;i++){if(arr[i]===item){return i}}return-1},forEach:function(arr,fn,scope){var i,j;if(Array.prototype.forEach){return arr.forEach(fn,scope)}for(i=0,j=arr.length;i<j;i++){fn.call(scope,arr[i],i,arr)}},trim:function(str){if(String.prototype.trim){return str.trim()}return str.replace(/(^\s*)|(\s*$)/g,"")},trimRight:function(str){if(String.prototype.trimRight){return str.trimRight()}return str.replace(/(\s*$)/g,"")}}},{}]},{},[2]);
\ No newline at end of file diff --git a/node_modules/xss/lib/cli.js b/node_modules/xss/lib/cli.js deleted file mode 100644 index 4aa075e..0000000 --- a/node_modules/xss/lib/cli.js +++ /dev/null @@ -1,45 +0,0 @@ -/** - * command line tool - * - * @author Zongmin Lei<leizongmin@gmail.com> - */ - -var xss = require("./"); -var readline = require("readline"); - -var rl = readline.createInterface({ - input: process.stdin, - output: process.stdout -}); - -console.log('Enter a blank line to do xss(), enter "@quit" to exit.\n'); - -function take(c, n) { - var ret = ""; - for (var i = 0; i < n; i++) { - ret += c; - } - return ret; -} - -function setPrompt(line) { - line = line.toString(); - rl.setPrompt("[" + line + "]" + take(" ", 5 - line.length)); - rl.prompt(); -} - -setPrompt(1); - -var html = []; -rl.on("line", function(line) { - if (line === "@quit") return process.exit(); - if (line === "") { - console.log(""); - console.log(xss(html.join("\r\n"))); - console.log(""); - html = []; - } else { - html.push(line); - } - setPrompt(html.length + 1); -}); diff --git a/node_modules/xss/lib/default.js b/node_modules/xss/lib/default.js deleted file mode 100644 index 1452ed3..0000000 --- a/node_modules/xss/lib/default.js +++ /dev/null @@ -1,415 +0,0 @@ -/** - * default settings - * - * @author Zongmin Lei<leizongmin@gmail.com> - */ - -var FilterCSS = require("cssfilter").FilterCSS; -var getDefaultCSSWhiteList = require("cssfilter").getDefaultWhiteList; -var _ = require("./util"); - -function getDefaultWhiteList() { - return { - a: ["target", "href", "title"], - abbr: ["title"], - address: [], - area: ["shape", "coords", "href", "alt"], - article: [], - aside: [], - audio: ["autoplay", "controls", "loop", "preload", "src"], - b: [], - bdi: ["dir"], - bdo: ["dir"], - big: [], - blockquote: ["cite"], - br: [], - caption: [], - center: [], - cite: [], - code: [], - col: ["align", "valign", "span", "width"], - colgroup: ["align", "valign", "span", "width"], - dd: [], - del: ["datetime"], - details: ["open"], - div: [], - dl: [], - dt: [], - em: [], - font: ["color", "size", "face"], - footer: [], - h1: [], - h2: [], - h3: [], - h4: [], - h5: [], - h6: [], - header: [], - hr: [], - i: [], - img: ["src", "alt", "title", "width", "height"], - ins: ["datetime"], - li: [], - mark: [], - nav: [], - ol: [], - p: [], - pre: [], - s: [], - section: [], - small: [], - span: [], - sub: [], - sup: [], - strong: [], - table: ["width", "border", "align", "valign"], - tbody: ["align", "valign"], - td: ["width", "rowspan", "colspan", "align", "valign"], - tfoot: ["align", "valign"], - th: ["width", "rowspan", "colspan", "align", "valign"], - thead: ["align", "valign"], - tr: ["rowspan", "align", "valign"], - tt: [], - u: [], - ul: [], - video: ["autoplay", "controls", "loop", "preload", "src", "height", "width"] - }; -} - -var defaultCSSFilter = new FilterCSS(); - -/** - * default onTag function - * - * @param {String} tag - * @param {String} html - * @param {Object} options - * @return {String} - */ -function onTag(tag, html, options) { - // do nothing -} - -/** - * default onIgnoreTag function - * - * @param {String} tag - * @param {String} html - * @param {Object} options - * @return {String} - */ -function onIgnoreTag(tag, html, options) { - // do nothing -} - -/** - * default onTagAttr function - * - * @param {String} tag - * @param {String} name - * @param {String} value - * @return {String} - */ -function onTagAttr(tag, name, value) { - // do nothing -} - -/** - * default onIgnoreTagAttr function - * - * @param {String} tag - * @param {String} name - * @param {String} value - * @return {String} - */ -function onIgnoreTagAttr(tag, name, value) { - // do nothing -} - -/** - * default escapeHtml function - * - * @param {String} html - */ -function escapeHtml(html) { - return html.replace(REGEXP_LT, "<").replace(REGEXP_GT, ">"); -} - -/** - * default safeAttrValue function - * - * @param {String} tag - * @param {String} name - * @param {String} value - * @param {Object} cssFilter - * @return {String} - */ -function safeAttrValue(tag, name, value, cssFilter) { - // unescape attribute value firstly - value = friendlyAttrValue(value); - - if (name === "href" || name === "src") { - // filter `href` and `src` attribute - // only allow the value that starts with `http://` | `https://` | `mailto:` | `/` | `#` - value = _.trim(value); - if (value === "#") return "#"; - if ( - !( - value.substr(0, 7) === "http://" || - value.substr(0, 8) === "https://" || - value.substr(0, 7) === "mailto:" || - value.substr(0, 4) === "tel:" || - value[0] === "#" || - value[0] === "/" - ) - ) { - return ""; - } - } else if (name === "background") { - // filter `background` attribute (maybe no use) - // `javascript:` - REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0; - if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) { - return ""; - } - } else if (name === "style") { - // `expression()` - REGEXP_DEFAULT_ON_TAG_ATTR_7.lastIndex = 0; - if (REGEXP_DEFAULT_ON_TAG_ATTR_7.test(value)) { - return ""; - } - // `url()` - REGEXP_DEFAULT_ON_TAG_ATTR_8.lastIndex = 0; - if (REGEXP_DEFAULT_ON_TAG_ATTR_8.test(value)) { - REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0; - if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) { - return ""; - } - } - if (cssFilter !== false) { - cssFilter = cssFilter || defaultCSSFilter; - value = cssFilter.process(value); - } - } - - // escape `<>"` before returns - value = escapeAttrValue(value); - return value; -} - -// RegExp list -var REGEXP_LT = /</g; -var REGEXP_GT = />/g; -var REGEXP_QUOTE = /"/g; -var REGEXP_QUOTE_2 = /"/g; -var REGEXP_ATTR_VALUE_1 = /&#([a-zA-Z0-9]*);?/gim; -var REGEXP_ATTR_VALUE_COLON = /:?/gim; -var REGEXP_ATTR_VALUE_NEWLINE = /&newline;?/gim; -var REGEXP_DEFAULT_ON_TAG_ATTR_3 = /\/\*|\*\//gm; -var REGEXP_DEFAULT_ON_TAG_ATTR_4 = /((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a)\:/gi; -var REGEXP_DEFAULT_ON_TAG_ATTR_5 = /^[\s"'`]*(d\s*a\s*t\s*a\s*)\:/gi; -var REGEXP_DEFAULT_ON_TAG_ATTR_6 = /^[\s"'`]*(d\s*a\s*t\s*a\s*)\:\s*image\//gi; -var REGEXP_DEFAULT_ON_TAG_ATTR_7 = /e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n\s*\(.*/gi; -var REGEXP_DEFAULT_ON_TAG_ATTR_8 = /u\s*r\s*l\s*\(.*/gi; - -/** - * escape doube quote - * - * @param {String} str - * @return {String} str - */ -function escapeQuote(str) { - return str.replace(REGEXP_QUOTE, """); -} - -/** - * unescape double quote - * - * @param {String} str - * @return {String} str - */ -function unescapeQuote(str) { - return str.replace(REGEXP_QUOTE_2, '"'); -} - -/** - * escape html entities - * - * @param {String} str - * @return {String} - */ -function escapeHtmlEntities(str) { - return str.replace(REGEXP_ATTR_VALUE_1, function replaceUnicode(str, code) { - return code[0] === "x" || code[0] === "X" - ? String.fromCharCode(parseInt(code.substr(1), 16)) - : String.fromCharCode(parseInt(code, 10)); - }); -} - -/** - * escape html5 new danger entities - * - * @param {String} str - * @return {String} - */ -function escapeDangerHtml5Entities(str) { - return str - .replace(REGEXP_ATTR_VALUE_COLON, ":") - .replace(REGEXP_ATTR_VALUE_NEWLINE, " "); -} - -/** - * clear nonprintable characters - * - * @param {String} str - * @return {String} - */ -function clearNonPrintableCharacter(str) { - var str2 = ""; - for (var i = 0, len = str.length; i < len; i++) { - str2 += str.charCodeAt(i) < 32 ? " " : str.charAt(i); - } - return _.trim(str2); -} - -/** - * get friendly attribute value - * - * @param {String} str - * @return {String} - */ -function friendlyAttrValue(str) { - str = unescapeQuote(str); - str = escapeHtmlEntities(str); - str = escapeDangerHtml5Entities(str); - str = clearNonPrintableCharacter(str); - return str; -} - -/** - * unescape attribute value - * - * @param {String} str - * @return {String} - */ -function escapeAttrValue(str) { - str = escapeQuote(str); - str = escapeHtml(str); - return str; -} - -/** - * `onIgnoreTag` function for removing all the tags that are not in whitelist - */ -function onIgnoreTagStripAll() { - return ""; -} - -/** - * remove tag body - * specify a `tags` list, if the tag is not in the `tags` list then process by the specify function (optional) - * - * @param {array} tags - * @param {function} next - */ -function StripTagBody(tags, next) { - if (typeof next !== "function") { - next = function() {}; - } - - var isRemoveAllTag = !Array.isArray(tags); - function isRemoveTag(tag) { - if (isRemoveAllTag) return true; - return _.indexOf(tags, tag) !== -1; - } - - var removeList = []; - var posStart = false; - - return { - onIgnoreTag: function(tag, html, options) { - if (isRemoveTag(tag)) { - if (options.isClosing) { - var ret = "[/removed]"; - var end = options.position + ret.length; - removeList.push([ - posStart !== false ? posStart : options.position, - end - ]); - posStart = false; - return ret; - } else { - if (!posStart) { - posStart = options.position; - } - return "[removed]"; - } - } else { - return next(tag, html, options); - } - }, - remove: function(html) { - var rethtml = ""; - var lastPos = 0; - _.forEach(removeList, function(pos) { - rethtml += html.slice(lastPos, pos[0]); - lastPos = pos[1]; - }); - rethtml += html.slice(lastPos); - return rethtml; - } - }; -} - -/** - * remove html comments - * - * @param {String} html - * @return {String} - */ -function stripCommentTag(html) { - return html.replace(STRIP_COMMENT_TAG_REGEXP, ""); -} -var STRIP_COMMENT_TAG_REGEXP = /<!--[\s\S]*?-->/g; - -/** - * remove invisible characters - * - * @param {String} html - * @return {String} - */ -function stripBlankChar(html) { - var chars = html.split(""); - chars = chars.filter(function(char) { - var c = char.charCodeAt(0); - if (c === 127) return false; - if (c <= 31) { - if (c === 10 || c === 13) return true; - return false; - } - return true; - }); - return chars.join(""); -} - -exports.whiteList = getDefaultWhiteList(); -exports.getDefaultWhiteList = getDefaultWhiteList; -exports.onTag = onTag; -exports.onIgnoreTag = onIgnoreTag; -exports.onTagAttr = onTagAttr; -exports.onIgnoreTagAttr = onIgnoreTagAttr; -exports.safeAttrValue = safeAttrValue; -exports.escapeHtml = escapeHtml; -exports.escapeQuote = escapeQuote; -exports.unescapeQuote = unescapeQuote; -exports.escapeHtmlEntities = escapeHtmlEntities; -exports.escapeDangerHtml5Entities = escapeDangerHtml5Entities; -exports.clearNonPrintableCharacter = clearNonPrintableCharacter; -exports.friendlyAttrValue = friendlyAttrValue; -exports.escapeAttrValue = escapeAttrValue; -exports.onIgnoreTagStripAll = onIgnoreTagStripAll; -exports.StripTagBody = StripTagBody; -exports.stripCommentTag = stripCommentTag; -exports.stripBlankChar = stripBlankChar; -exports.cssFilter = defaultCSSFilter; -exports.getDefaultCSSWhiteList = getDefaultCSSWhiteList; diff --git a/node_modules/xss/lib/index.js b/node_modules/xss/lib/index.js deleted file mode 100644 index e0c1a06..0000000 --- a/node_modules/xss/lib/index.js +++ /dev/null @@ -1,40 +0,0 @@ -/** - * xss - * - * @author Zongmin Lei<leizongmin@gmail.com> - */ - -var DEFAULT = require("./default"); -var parser = require("./parser"); -var FilterXSS = require("./xss"); - -/** - * filter xss function - * - * @param {String} html - * @param {Object} options { whiteList, onTag, onTagAttr, onIgnoreTag, onIgnoreTagAttr, safeAttrValue, escapeHtml } - * @return {String} - */ -function filterXSS(html, options) { - var xss = new FilterXSS(options); - return xss.process(html); -} - -exports = module.exports = filterXSS; -exports.filterXSS = filterXSS; -exports.FilterXSS = FilterXSS; -for (var i in DEFAULT) exports[i] = DEFAULT[i]; -for (var i in parser) exports[i] = parser[i]; - -// using `xss` on the browser, output `filterXSS` to the globals -if (typeof window !== "undefined") { - window.filterXSS = module.exports; -} - -// using `xss` on the WebWorker, output `filterXSS` to the globals -function isWorkerEnv() { - return typeof self !== 'undefined' && typeof DedicatedWorkerGlobalScope !== 'undefined' && self instanceof DedicatedWorkerGlobalScope; -} -if (isWorkerEnv()) { - self.filterXSS = module.exports; -} diff --git a/node_modules/xss/lib/parser.js b/node_modules/xss/lib/parser.js deleted file mode 100644 index 7c15def..0000000 --- a/node_modules/xss/lib/parser.js +++ /dev/null @@ -1,239 +0,0 @@ -/** - * Simple HTML Parser - * - * @author Zongmin Lei<leizongmin@gmail.com> - */ - -var _ = require("./util"); - -/** - * get tag name - * - * @param {String} html e.g. '<a hef="#">' - * @return {String} - */ -function getTagName(html) { - var i = _.spaceIndex(html); - if (i === -1) { - var tagName = html.slice(1, -1); - } else { - var tagName = html.slice(1, i + 1); - } - tagName = _.trim(tagName).toLowerCase(); - if (tagName.slice(0, 1) === "/") tagName = tagName.slice(1); - if (tagName.slice(-1) === "/") tagName = tagName.slice(0, -1); - return tagName; -} - -/** - * is close tag? - * - * @param {String} html 如:'<a hef="#">' - * @return {Boolean} - */ -function isClosing(html) { - return html.slice(0, 2) === "</"; -} - -/** - * parse input html and returns processed html - * - * @param {String} html - * @param {Function} onTag e.g. function (sourcePosition, position, tag, html, isClosing) - * @param {Function} escapeHtml - * @return {String} - */ -function parseTag(html, onTag, escapeHtml) { - "user strict"; - - var rethtml = ""; - var lastPos = 0; - var tagStart = false; - var quoteStart = false; - var currentPos = 0; - var len = html.length; - var currentTagName = ""; - var currentHtml = ""; - - for (currentPos = 0; currentPos < len; currentPos++) { - var c = html.charAt(currentPos); - if (tagStart === false) { - if (c === "<") { - tagStart = currentPos; - continue; - } - } else { - if (quoteStart === false) { - if (c === "<") { - rethtml += escapeHtml(html.slice(lastPos, currentPos)); - tagStart = currentPos; - lastPos = currentPos; - continue; - } - if (c === ">") { - rethtml += escapeHtml(html.slice(lastPos, tagStart)); - currentHtml = html.slice(tagStart, currentPos + 1); - currentTagName = getTagName(currentHtml); - rethtml += onTag( - tagStart, - rethtml.length, - currentTagName, - currentHtml, - isClosing(currentHtml) - ); - lastPos = currentPos + 1; - tagStart = false; - continue; - } - if ((c === '"' || c === "'") && html.charAt(currentPos - 1) === "=") { - quoteStart = c; - continue; - } - } else { - if (c === quoteStart) { - quoteStart = false; - continue; - } - } - } - } - if (lastPos < html.length) { - rethtml += escapeHtml(html.substr(lastPos)); - } - - return rethtml; -} - -var REGEXP_ILLEGAL_ATTR_NAME = /[^a-zA-Z0-9_:\.\-]/gim; - -/** - * parse input attributes and returns processed attributes - * - * @param {String} html e.g. `href="#" target="_blank"` - * @param {Function} onAttr e.g. `function (name, value)` - * @return {String} - */ -function parseAttr(html, onAttr) { - "user strict"; - - var lastPos = 0; - var retAttrs = []; - var tmpName = false; - var len = html.length; - - function addAttr(name, value) { - name = _.trim(name); - name = name.replace(REGEXP_ILLEGAL_ATTR_NAME, "").toLowerCase(); - if (name.length < 1) return; - var ret = onAttr(name, value || ""); - if (ret) retAttrs.push(ret); - } - - // 逐个分析字符 - for (var i = 0; i < len; i++) { - var c = html.charAt(i); - var v, j; - if (tmpName === false && c === "=") { - tmpName = html.slice(lastPos, i); - lastPos = i + 1; - continue; - } - if (tmpName !== false) { - if ( - i === lastPos && - (c === '"' || c === "'") && - html.charAt(i - 1) === "=" - ) { - j = html.indexOf(c, i + 1); - if (j === -1) { - break; - } else { - v = _.trim(html.slice(lastPos + 1, j)); - addAttr(tmpName, v); - tmpName = false; - i = j; - lastPos = i + 1; - continue; - } - } - } - if (/\s|\n|\t/.test(c)) { - html = html.replace(/\s|\n|\t/g, " "); - if (tmpName === false) { - j = findNextEqual(html, i); - if (j === -1) { - v = _.trim(html.slice(lastPos, i)); - addAttr(v); - tmpName = false; - lastPos = i + 1; - continue; - } else { - i = j - 1; - continue; - } - } else { - j = findBeforeEqual(html, i - 1); - if (j === -1) { - v = _.trim(html.slice(lastPos, i)); - v = stripQuoteWrap(v); - addAttr(tmpName, v); - tmpName = false; - lastPos = i + 1; - continue; - } else { - continue; - } - } - } - } - - if (lastPos < html.length) { - if (tmpName === false) { - addAttr(html.slice(lastPos)); - } else { - addAttr(tmpName, stripQuoteWrap(_.trim(html.slice(lastPos)))); - } - } - - return _.trim(retAttrs.join(" ")); -} - -function findNextEqual(str, i) { - for (; i < str.length; i++) { - var c = str[i]; - if (c === " ") continue; - if (c === "=") return i; - return -1; - } -} - -function findBeforeEqual(str, i) { - for (; i > 0; i--) { - var c = str[i]; - if (c === " ") continue; - if (c === "=") return i; - return -1; - } -} - -function isQuoteWrapString(text) { - if ( - (text[0] === '"' && text[text.length - 1] === '"') || - (text[0] === "'" && text[text.length - 1] === "'") - ) { - return true; - } else { - return false; - } -} - -function stripQuoteWrap(text) { - if (isQuoteWrapString(text)) { - return text.substr(1, text.length - 2); - } else { - return text; - } -} - -exports.parseTag = parseTag; -exports.parseAttr = parseAttr; diff --git a/node_modules/xss/lib/util.js b/node_modules/xss/lib/util.js deleted file mode 100644 index 1dcd7fa..0000000 --- a/node_modules/xss/lib/util.js +++ /dev/null @@ -1,34 +0,0 @@ -module.exports = { - indexOf: function(arr, item) { - var i, j; - if (Array.prototype.indexOf) { - return arr.indexOf(item); - } - for (i = 0, j = arr.length; i < j; i++) { - if (arr[i] === item) { - return i; - } - } - return -1; - }, - forEach: function(arr, fn, scope) { - var i, j; - if (Array.prototype.forEach) { - return arr.forEach(fn, scope); - } - for (i = 0, j = arr.length; i < j; i++) { - fn.call(scope, arr[i], i, arr); - } - }, - trim: function(str) { - if (String.prototype.trim) { - return str.trim(); - } - return str.replace(/(^\s*)|(\s*$)/g, ""); - }, - spaceIndex: function(str) { - var reg = /\s|\n|\t/; - var match = reg.exec(str); - return match ? match.index : -1; - } -}; diff --git a/node_modules/xss/lib/xss.js b/node_modules/xss/lib/xss.js deleted file mode 100644 index 74d2e42..0000000 --- a/node_modules/xss/lib/xss.js +++ /dev/null @@ -1,211 +0,0 @@ -/** - * filter xss - * - * @author Zongmin Lei<leizongmin@gmail.com> - */ - -var FilterCSS = require("cssfilter").FilterCSS; -var DEFAULT = require("./default"); -var parser = require("./parser"); -var parseTag = parser.parseTag; -var parseAttr = parser.parseAttr; -var _ = require("./util"); - -/** - * returns `true` if the input value is `undefined` or `null` - * - * @param {Object} obj - * @return {Boolean} - */ -function isNull(obj) { - return obj === undefined || obj === null; -} - -/** - * get attributes for a tag - * - * @param {String} html - * @return {Object} - * - {String} html - * - {Boolean} closing - */ -function getAttrs(html) { - var i = _.spaceIndex(html); - if (i === -1) { - return { - html: "", - closing: html[html.length - 2] === "/" - }; - } - html = _.trim(html.slice(i + 1, -1)); - var isClosing = html[html.length - 1] === "/"; - if (isClosing) html = _.trim(html.slice(0, -1)); - return { - html: html, - closing: isClosing - }; -} - -/** - * shallow copy - * - * @param {Object} obj - * @return {Object} - */ -function shallowCopyObject(obj) { - var ret = {}; - for (var i in obj) { - ret[i] = obj[i]; - } - return ret; -} - -/** - * FilterXSS class - * - * @param {Object} options - * whiteList, onTag, onTagAttr, onIgnoreTag, - * onIgnoreTagAttr, safeAttrValue, escapeHtml - * stripIgnoreTagBody, allowCommentTag, stripBlankChar - * css{whiteList, onAttr, onIgnoreAttr} `css=false` means don't use `cssfilter` - */ -function FilterXSS(options) { - options = shallowCopyObject(options || {}); - - if (options.stripIgnoreTag) { - if (options.onIgnoreTag) { - console.error( - 'Notes: cannot use these two options "stripIgnoreTag" and "onIgnoreTag" at the same time' - ); - } - options.onIgnoreTag = DEFAULT.onIgnoreTagStripAll; - } - - options.whiteList = options.whiteList || DEFAULT.whiteList; - options.onTag = options.onTag || DEFAULT.onTag; - options.onTagAttr = options.onTagAttr || DEFAULT.onTagAttr; - options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag; - options.onIgnoreTagAttr = options.onIgnoreTagAttr || DEFAULT.onIgnoreTagAttr; - options.safeAttrValue = options.safeAttrValue || DEFAULT.safeAttrValue; - options.escapeHtml = options.escapeHtml || DEFAULT.escapeHtml; - this.options = options; - - if (options.css === false) { - this.cssFilter = false; - } else { - options.css = options.css || {}; - this.cssFilter = new FilterCSS(options.css); - } -} - -/** - * start process and returns result - * - * @param {String} html - * @return {String} - */ -FilterXSS.prototype.process = function(html) { - // compatible with the input - html = html || ""; - html = html.toString(); - if (!html) return ""; - - var me = this; - var options = me.options; - var whiteList = options.whiteList; - var onTag = options.onTag; - var onIgnoreTag = options.onIgnoreTag; - var onTagAttr = options.onTagAttr; - var onIgnoreTagAttr = options.onIgnoreTagAttr; - var safeAttrValue = options.safeAttrValue; - var escapeHtml = options.escapeHtml; - var cssFilter = me.cssFilter; - - // remove invisible characters - if (options.stripBlankChar) { - html = DEFAULT.stripBlankChar(html); - } - - // remove html comments - if (!options.allowCommentTag) { - html = DEFAULT.stripCommentTag(html); - } - - // if enable stripIgnoreTagBody - var stripIgnoreTagBody = false; - if (options.stripIgnoreTagBody) { - var stripIgnoreTagBody = DEFAULT.StripTagBody( - options.stripIgnoreTagBody, - onIgnoreTag - ); - onIgnoreTag = stripIgnoreTagBody.onIgnoreTag; - } - - var retHtml = parseTag( - html, - function(sourcePosition, position, tag, html, isClosing) { - var info = { - sourcePosition: sourcePosition, - position: position, - isClosing: isClosing, - isWhite: whiteList.hasOwnProperty(tag) - }; - - // call `onTag()` - var ret = onTag(tag, html, info); - if (!isNull(ret)) return ret; - - if (info.isWhite) { - if (info.isClosing) { - return "</" + tag + ">"; - } - - var attrs = getAttrs(html); - var whiteAttrList = whiteList[tag]; - var attrsHtml = parseAttr(attrs.html, function(name, value) { - // call `onTagAttr()` - var isWhiteAttr = _.indexOf(whiteAttrList, name) !== -1; - var ret = onTagAttr(tag, name, value, isWhiteAttr); - if (!isNull(ret)) return ret; - - if (isWhiteAttr) { - // call `safeAttrValue()` - value = safeAttrValue(tag, name, value, cssFilter); - if (value) { - return name + '="' + value + '"'; - } else { - return name; - } - } else { - // call `onIgnoreTagAttr()` - var ret = onIgnoreTagAttr(tag, name, value, isWhiteAttr); - if (!isNull(ret)) return ret; - return; - } - }); - - // build new tag html - var html = "<" + tag; - if (attrsHtml) html += " " + attrsHtml; - if (attrs.closing) html += " /"; - html += ">"; - return html; - } else { - // call `onIgnoreTag()` - var ret = onIgnoreTag(tag, html, info); - if (!isNull(ret)) return ret; - return escapeHtml(html); - } - }, - escapeHtml - ); - - // if enable stripIgnoreTagBody - if (stripIgnoreTagBody) { - retHtml = stripIgnoreTagBody.remove(retHtml); - } - - return retHtml; -}; - -module.exports = FilterXSS; diff --git a/node_modules/xss/package.json b/node_modules/xss/package.json deleted file mode 100644 index 8caf468..0000000 --- a/node_modules/xss/package.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "_from": "xss", - "_id": "xss@1.0.6", - "_inBundle": false, - "_integrity": "sha512-6Q9TPBeNyoTRxgZFk5Ggaepk/4vUOYdOsIUYvLehcsIZTFjaavbVnsuAkLA5lIFuug5hw8zxcB9tm01gsjph2A==", - "_location": "/xss", - "_phantomChildren": {}, - "_requested": { - "type": "tag", - "registry": true, - "raw": "xss", - "name": "xss", - "escapedName": "xss", - "rawSpec": "", - "saveSpec": null, - "fetchSpec": "latest" - }, - "_requiredBy": [ - "#USER", - "/" - ], - "_resolved": "https://registry.npmjs.org/xss/-/xss-1.0.6.tgz", - "_shasum": "eaf11e9fc476e3ae289944a1009efddd8a124b51", - "_spec": "xss", - "_where": "/home/cargova/projects/beziapp.github.io", - "author": { - "name": "Zongmin Lei", - "email": "leizongmin@gmail.com", - "url": "http://ucdok.com" - }, - "bin": { - "xss": "./bin/xss" - }, - "bugs": { - "url": "https://github.com/leizongmin/js-xss/issues" - }, - "bundleDependencies": false, - "dependencies": { - "commander": "^2.9.0", - "cssfilter": "0.0.10" - }, - "deprecated": false, - "description": "Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist", - "devDependencies": { - "browserify": "^14.1.0", - "coveralls": "^3.0.0", - "debug": "^3.1.0", - "istanbul": "^0.4.3", - "mocha": "^4.0.1", - "uglify-js": "^3.0.14" - }, - "engines": { - "node": ">= 0.10.0" - }, - "files": [ - "lib", - "bin/xss", - "dist", - "typings/*.d.ts" - ], - "homepage": "https://github.com/leizongmin/js-xss", - "keywords": [ - "sanitization", - "xss", - "sanitize", - "sanitisation", - "input", - "security", - "escape", - "encode", - "filter", - "validator", - "html", - "injection", - "whitelist" - ], - "license": "MIT", - "main": "./lib/index.js", - "name": "xss", - "repository": { - "type": "git", - "url": "git://github.com/leizongmin/js-xss.git" - }, - "scripts": { - "build": "./bin/build", - "prepublish": "npm run test && npm run build", - "test": "export DEBUG=xss:* && mocha -t 5000", - "test-cov": "export DEBUG=xss:* && istanbul cover _mocha --report lcovonly -- -t 5000 -R spec && cat ./coverage/lcov.info | ./node_modules/coveralls/bin/coveralls.js && rm -rf ./coverage" - }, - "typings": "./typings/xss.d.ts", - "version": "1.0.6" -} diff --git a/node_modules/xss/typings/xss.d.ts b/node_modules/xss/typings/xss.d.ts deleted file mode 100644 index 1f6f2ca..0000000 --- a/node_modules/xss/typings/xss.d.ts +++ /dev/null @@ -1,189 +0,0 @@ -/** - * xss - * - * @author Zongmin Lei<leizongmin@gmail.com> - */ - -declare global { - function filterXSS(html: string, options?: IFilterXSSOptions): string; - - namespace XSS { - export interface IFilterXSSOptions { - whiteList?: IWhiteList; - onTag?: OnTagHandler; - onTagAttr?: OnTagAttrHandler; - onIgnoreTag?: OnTagHandler; - onIgnoreTagAttr?: OnTagAttrHandler; - safeAttrValue?: SafeAttrValueHandler; - escapeHtml?: EscapeHandler; - stripIgnoreTag?: boolean; - stripIgnoreTagBody?: boolean | string[]; - allowCommentTag?: boolean; - stripBlankChar?: boolean; - css?: {} | boolean; - } - - interface IWhiteList { - a?: string[]; - abbr?: string[]; - address?: string[]; - area?: string[]; - article?: string[]; - aside?: string[]; - audio?: string[]; - b?: string[]; - bdi?: string[]; - bdo?: string[]; - big?: string[]; - blockquote?: string[]; - br?: string[]; - caption?: string[]; - center?: string[]; - cite?: string[]; - code?: string[]; - col?: string[]; - colgroup?: string[]; - dd?: string[]; - del?: string[]; - details?: string[]; - div?: string[]; - dl?: string[]; - dt?: string[]; - em?: string[]; - font?: string[]; - footer?: string[]; - h1?: string[]; - h2?: string[]; - h3?: string[]; - h4?: string[]; - h5?: string[]; - h6?: string[]; - header?: string[]; - hr?: string[]; - i?: string[]; - img?: string[]; - ins?: string[]; - li?: string[]; - mark?: string[]; - nav?: string[]; - ol?: string[]; - p?: string[]; - pre?: string[]; - s?: string[]; - section?: string[]; - small?: string[]; - span?: string[]; - sub?: string[]; - sup?: string[]; - strong?: string[]; - table?: string[]; - tbody?: string[]; - td?: string[]; - tfoot?: string[]; - th?: string[]; - thead?: string[]; - tr?: string[]; - tt?: string[]; - u?: string[]; - ul?: string[]; - video?: string[]; - } - - type OnTagHandler = ( - tag: string, - html: string, - options: {} - ) => string | void; - - type OnTagAttrHandler = ( - tag: string, - name: string, - value: string, - isWhiteAttr: boolean - ) => string | void; - - type SafeAttrValueHandler = ( - tag: string, - name: string, - value: string, - cssFilter: ICSSFilter - ) => string; - - type EscapeHandler = (str: string) => string; - - interface ICSSFilter { - process(value: string): string; - } - } -} - -export interface IFilterXSSOptions extends XSS.IFilterXSSOptions {} - -export interface IWhiteList extends XSS.IWhiteList {} - -export type OnTagHandler = XSS.OnTagHandler; - -export type OnTagAttrHandler = XSS.OnTagAttrHandler; - -export type SafeAttrValueHandler = XSS.SafeAttrValueHandler; - -export type EscapeHandler = XSS.EscapeHandler; - -export interface ICSSFilter extends XSS.ICSSFilter {} - -export function StripTagBody( - tags: string[], - next: () => void -): { - onIgnoreTag( - tag: string, - html: string, - options: { - position: number; - isClosing: boolean; - } - ): string; - remove(html: string): string; -}; - -export class FilterXSS { - constructor(options?: IFilterXSSOptions); - process(html: string): string; -} - -export function filterXSS(html: string, options?: IFilterXSSOptions): string; -export function parseTag( - html: string, - onTag: ( - sourcePosition: number, - position: number, - tag: string, - html: string, - isClosing: boolean - ) => string, - escapeHtml: EscapeHandler -): string; -export function parseAttr( - html: string, - onAttr: (name: string, value: string) => string -): string; -export const whiteList: IWhiteList; -export function getDefaultWhiteList(): IWhiteList; -export const onTag: OnTagHandler; -export const onIgnoreTag: OnTagHandler; -export const onTagAttr: OnTagAttrHandler; -export const onIgnoreTagAttr: OnTagAttrHandler; -export const safeAttrValue: SafeAttrValueHandler; -export const escapeHtml: EscapeHandler; -export const escapeQuote: EscapeHandler; -export const unescapeQuote: EscapeHandler; -export const escapeHtmlEntities: EscapeHandler; -export const escapeDangerHtml5Entities: EscapeHandler; -export const clearNonPrintableCharacter: EscapeHandler; -export const friendlyAttrValue: EscapeHandler; -export const escapeAttrValue: EscapeHandler; -export function onIgnoreTagStripAll(): string; -export const stripCommentTag: EscapeHandler; -export const stripBlankChar: EscapeHandler; -export const cssFilter: ICSSFilter; -export function getDefaultCSSWhiteList(): ICSSFilter; |