Skip to content
This repository has been archived by the owner on Jul 15, 2019. It is now read-only.

Commit

Permalink
publish as release v1.0.6
Browse files Browse the repository at this point in the history
- improved speed of yubl() based on
http://jsperf.com/lazy-regexp-parsing
- added grave accent ` handling in y() and yavu()
- code cleanup to shrink space
  • Loading branch information
adon committed Mar 13, 2015
1 parent 917721d commit 67b2a0c
Show file tree
Hide file tree
Showing 9 changed files with 122 additions and 147 deletions.
14 changes: 8 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Secure XSS Filters

`document.write("<a href=" + xssFilters.uriInUnquotedAttr(url) + ">" + xssFilters.uriInHTMLData(url) + "</a>");`

In this example, the traditional wisdom of blindly escaping the five well-known characters (`&` `<` `>` `'` `"`) would not stop XSS (e.g., when `url` is equal to `javascript:alert(1)` or ` onclick=alert(1)`).
In this example, the traditional wisdom of blindly escaping the five well-known characters (`&` `<` `>` `'` `"` `` ` ``) would not stop XSS (e.g., when `url` is equal to `javascript:alert(1)` or ` onclick=alert(1)`).

- **Just Sufficient Encoding.** Encode the *minimal* set of characters to thwart JavaScript executions, thus preventing XSS attacks while keeping most characters intact. Say goodbye to double-encoding problems such as '&amp;amp;lt;', as often resulted from traditional filters!!

Expand Down Expand Up @@ -47,6 +47,8 @@ app.get('/', function(req, res){
Simply download the latest minified version from the [`dist/`](./dist) folder. Embed it in your HTML file, and all filters are available in a global object called `xssFilters`.

```html
<!doctype html><!-- You need HTML 5 mode for browser -->
...
<script src="dist/xss-filters.min.js"></script>
<script>
var firstname = "..."; //an untrusted input collected from user
Expand All @@ -72,11 +74,11 @@ and retrieve your data with `document.getElementById('strJS').value`.
### The API

There are five context-sensitive filters for generic input:
- `<div>``{{{inHTMLData data}}}``</div>`
- `<!--``{{{inHTMLComment comment}}}``-->`
- `<input value='``{{{inSingleQuotedAttr value}}}``'/>`
- `<input value="``{{{inDoubleQuotedAttr value}}}``"/>`
- `<input value=``{{{inUnQuotedAttr value}}}``/>`
- `<div>` `{{{inHTMLData data}}}` `</div>`
- `<!--` `{{{inHTMLComment comment}}}` `-->`
- `<input value='` `{{{inSingleQuotedAttr value}}}` `'/>`
- `<input value="` `{{{inDoubleQuotedAttr value}}}` `"/>`
- `<input value=` `{{{inUnQuotedAttr value}}}` `/>`

> Here we use {{{ }}} to indicate output expression to ease illustrations
Expand Down
5 changes: 5 additions & 0 deletions dist/xss-filters.1.0.6.min.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions dist/xss-filters.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 67b2a0c

Please sign in to comment.