From 70fd7f30c35a25d6068d4f29431ea046228d7627 Mon Sep 17 00:00:00 2001 From: adon Date: Wed, 29 Jul 2015 18:45:35 +0800 Subject: [PATCH] release v1.2.6 --- bower.json | 2 +- dist/xss-filters.1.2.6.min.js | 5 +++ dist/xss-filters.js | 61 ++++++++++++++++------------ dist/xss-filters.min-browserified.js | 4 +- dist/xss-filters.min.js | 4 +- package.json | 2 +- 6 files changed, 45 insertions(+), 33 deletions(-) create mode 100644 dist/xss-filters.1.2.6.min.js diff --git a/bower.json b/bower.json index 17a0e53..a7ed2c9 100644 --- a/bower.json +++ b/bower.json @@ -1,6 +1,6 @@ { "name": "xss-filters", - "version": "1.2.4", + "version": "1.2.6", "homepage": "https://github.com/yahoo/xss-filters", "authors": [ "Nera Liu ", diff --git a/dist/xss-filters.1.2.6.min.js b/dist/xss-filters.1.2.6.min.js new file mode 100644 index 0000000..fee017b --- /dev/null +++ b/dist/xss-filters.1.2.6.min.js @@ -0,0 +1,5 @@ +/** + * xss-filters - v1.2.6 + * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. + */ +!function(a,b){function c(a,b,c){return d.yubl(b((c||d.yufull)(a)))}b.xssFilters=a,a._getPrivFilters=function(){function a(a){return a=a.split(x,2),2===a.length&&a[0]?a[0]:null}function b(a,b,c,d){function e(a,c,e,g){return c?(c=Number(c[0]<="9"?c:"0"+c),d?B(c):128===c?"€":130===c?"‚":131===c?"ƒ":132===c?"„":133===c?"…":134===c?"†":135===c?"‡":136===c?"ˆ":137===c?"‰":138===c?"Š":139===c?"‹":140===c?"Œ":142===c?"Ž":145===c?"‘":146===c?"’":147===c?"“":148===c?"”":149===c?"•":150===c?"–":151===c?"—":152===c?"˜":153===c?"™":154===c?"š":155===c?"›":156===c?"œ":158===c?"ž":159===c?"Ÿ":c>=55296&&57343>=c||13===c?"�":f.frCoPt(c)):b[e||g]||a}return b=b||p,c=c||o,void 0===a?"undefined":null===a?"null":a.toString().replace(k,"�").replace(c,e)}function c(a){return"\\"+a.charCodeAt(0).toString(16).toLowerCase()+" "}function d(a){return a.replace(t,function(a){return"-x-"+a})}function e(c){c=f.yufull(b(c));var d=a(c);return d&&w[d.toLowerCase()]?"##"+c:c}var f,g=/])/g,m=/[&<>"'`]/g,n=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,o=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|(Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast|ensp|emsp|thinsp);|(nbsp|amp|AMP|lt|LT|gt|GT|quot|QUOT);?)/g,p={Tab:" ",NewLine:"\n",colon:":",semi:";",lpar:"(",rpar:")",apos:"'",sol:"/",comma:",",excl:"!",ast:"*",midast:"*",ensp:" ",emsp:" ",thinsp:" ",nbsp:" ",amp:"&",lt:"<",gt:">",quot:'"',QUOT:'"'},q=/^(?:(?!-*expression)#?[-\w]+|[+-]?(?:\d+|\d*\.\d+)(?:r?em|ex|ch|cm|mm|in|px|pt|pc|%|vh|vw|vmin|vmax)?|!important|)$/i,r=/[\x00-\x1F\x7F\[\]{}\\"]/g,s=/[\x00-\x1F\x7F\[\]{}\\']/g,t=/url[\(\u207D\u208D]+/g,u=/['\(\)]/g,v=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,w={javascript:1,data:1,vbscript:1,mhtml:1,"x-schema":1},x=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,y=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,z={Tab:" ",NewLine:"\n"},A=function(a,b,c){return void 0===a?"undefined":null===a?"null":a.toString().replace(b,c)},B=String.fromCodePoint||function(a){return 0===arguments.length?"":65535>=a?String.fromCharCode(a):(a-=65536,String.fromCharCode((a>>10)+55296,a%1024+56320))};return f={frCoPt:function(a){return void 0===a||null===a?"":!isFinite(a=Number(a))||0>=a||a>1114111||a>=1&&8>=a||a>=14&&31>=a||a>=127&&159>=a||a>=64976&&65007>=a||11===a||65535===(65535&a)||65534===(65535&a)?"�":B(a)},d:b,yup:function(c){return c=a(c.replace(k,"")),c?b(c,z,null,!0).replace(y,"").toLowerCase():null},y:function(a){return A(a,m,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},ya:function(a){return A(a,j,"&")},yd:function(a){return A(a,g,"<")},yc:function(a){return A(a,n,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return A(a,h,""")},yavs:function(a){return A(a,i,"'")},yavu:function(a){return A(a,l,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":"="===a?"=":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return w[f.yup(a)]?"x-"+a:a},yufull:function(a){return f.yu(a).replace(v,function(a,b){return"//["+b+"]"})},yublf:function(a){return f.yubl(f.yufull(a))},yceu:function(a){return a=b(a),q.test(a)?a:";-x:'"+d(a.replace(s,c))+"';-v:"},yced:function(a){return d(b(a).replace(r,c))},yces:function(a){return d(b(a).replace(s,c))},yceuu:function(a){return e(a).replace(u,function(a){return"'"===a?"\\27 ":"("===a?"%28":"%29"})},yceud:function(a){return e(a)},yceus:function(a){return e(a).replace(i,"\\27 ")}}};var d=a._privFilters=a._getPrivFilters();a.inHTMLData=d.yd,a.inHTMLComment=d.yc,a.inSingleQuotedAttr=d.yavs,a.inDoubleQuotedAttr=d.yavd,a.inUnQuotedAttr=d.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,d.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,d.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,d.yavu)},a.uriInHTMLData=d.yufull,a.uriInHTMLComment=function(a){return d.yc(d.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,d.yavs,d.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,d.yavd,d.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,d.yavu,d.yu)},a.uriPathInHTMLData=d.yu,a.uriPathInHTMLComment=function(a){return d.yc(d.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return d.yavs(d.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return d.yavd(d.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return d.yavu(d.yuc(a))},a.uriComponentInHTMLData=d.yuc,a.uriComponentInHTMLComment=function(a){return d.yc(d.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return d.yubl(d.yavs(d.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return d.yubl(d.yavd(d.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return d.yubl(d.yavu(d.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment}({},function(){return this}()); \ No newline at end of file diff --git a/dist/xss-filters.js b/dist/xss-filters.js index 3fdc675..eefdfaf 100644 --- a/dist/xss-filters.js +++ b/dist/xss-filters.js @@ -27,13 +27,23 @@ exports._getPrivFilters = function () { var SENSITIVE_HTML_ENTITIES = /&(?:#([xX][0-9A-Fa-f]+|\d+);?|(Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast|ensp|emsp|thinsp);|(nbsp|amp|AMP|lt|LT|gt|GT|quot|QUOT);?)/g, SENSITIVE_NAMED_REF_MAP = {Tab: '\t', NewLine: '\n', colon: ':', semi: ';', lpar: '(', rpar: ')', apos: '\'', sol: '/', comma: ',', excl: '!', ast: '*', midast: '*', ensp: '\u2002', emsp: '\u2003', thinsp: '\u2009', nbsp: '\xA0', amp: '&', lt: '<', gt: '>', quot: '"', QUOT: '"'}; - // TODO: CSS_DANGEROUS_FUNCTION_NAME = /(url\(|expression\()/ig; - var CSS_UNQUOTED_CHARS = /[^%#+\-\w\.]/g, - // \x7F and \x01-\x1F less \x09 are for Safari 5.0 - CSS_DOUBLE_QUOTED_CHARS = /[\x01-\x1F\x7F\\"]/g, - CSS_SINGLE_QUOTED_CHARS = /[\x01-\x1F\x7F\\']/g, - // this assumes encodeURI() and encodeURIComponent() has escaped 1-32, 41, 127 for IE8 - CSS_UNQUOTED_URL = /['\(\)]/g; // " \ treated by encodeURI() + // var CSS_VALID_VALUE = + // /^(?: + // (?!-*expression)#?[-\w]+ + // |[+-]?(?:\d+|\d*\.\d+)(?:em|ex|ch|rem|px|mm|cm|in|pt|pc|%|vh|vw|vmin|vmax)? + // |!important + // | //empty + // )$/i; + var CSS_VALID_VALUE = /^(?:(?!-*expression)#?[-\w]+|[+-]?(?:\d+|\d*\.\d+)(?:r?em|ex|ch|cm|mm|in|px|pt|pc|%|vh|vw|vmin|vmax)?|!important|)$/i, + // TODO: prevent double css escaping by not encoding \ again, but this may require CSS decoding + // \x7F and \x01-\x1F less \x09 are for Safari 5.0, added []{}/* for unbalanced quote + CSS_DOUBLE_QUOTED_CHARS = /[\x00-\x1F\x7F\[\]{}\\"]/g, + CSS_SINGLE_QUOTED_CHARS = /[\x00-\x1F\x7F\[\]{}\\']/g, + // (, \u207D and \u208D can be used in background: 'url(...)' in IE, assumed all \ chars are encoded by QUOTED_CHARS, and null is already replaced with \uFFFD + // otherwise, use this CSS_BLACKLIST instead (enhance it with url matching): /(?:\\?\(|[\u207D\u208D]|\\0{0,4}28 ?|\\0{0,2}20[78][Dd] ?)+/g + CSS_BLACKLIST = /url[\(\u207D\u208D]+/g, + // this assumes encodeURI() and encodeURIComponent() has escaped 1-32, 127 for IE8 + CSS_UNQUOTED_URL = /['\(\)]/g; // " \ treated by encodeURI() // Given a full URI, need to support "[" ( IPv6address ) "]" in URI as per RFC3986 // Reference: https://tools.ietf.org/html/rfc3986 @@ -46,7 +56,7 @@ exports._getPrivFilters = function () { // Reference: http://shazzer.co.uk/database/All/Characters-after-javascript-uri // Reference: https://html.spec.whatwg.org/multipage/syntax.html#consume-a-character-reference // Reference for named characters: https://html.spec.whatwg.org/multipage/entities.json - var URI_BLACKLIST_PROTOCOLS = {'javascript':1, 'data':1, 'vbscript':1, 'mhtml':1}, + var URI_BLACKLIST_PROTOCOLS = {'javascript':1, 'data':1, 'vbscript':1, 'mhtml':1, 'x-schema':1}, URI_PROTOCOL_COLON = /(?::|&#[xX]0*3[aA];?|�*58;?|:)/, URI_PROTOCOL_WHITESPACES = /(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g, URI_PROTOCOL_NAMED_REF_MAP = {Tab: '\t', NewLine: '\n'}; @@ -160,20 +170,16 @@ exports._getPrivFilters = function () { // space after \\HEX is needed by spec return '\\' + chr.charCodeAt(0).toString(16).toLowerCase() + ' '; } - function css(s, reSensitiveChars) { - return htmlDecode(s).replace(reSensitiveChars, cssEncode); + function cssBlacklist(s) { + return s.replace(CSS_BLACKLIST, function(m){ return '-x-' + m; }); } - function cssUrl(s, reSensitiveChars) { + function cssUrl(s) { // encodeURI() in yufull() will throw error for use of the CSS_UNSUPPORTED_CODE_POINT (i.e., [\uD800-\uDFFF]) s = x.yufull(htmlDecode(s)); var protocol = getProtocol(s); // prefix ## for blacklisted protocols - if (protocol && URI_BLACKLIST_PROTOCOLS[protocol.toLowerCase()]) { - s = '##' + s; - } - - return reSensitiveChars ? s.replace(reSensitiveChars, cssEncode) : s; + return (protocol && URI_BLACKLIST_PROTOCOLS[protocol.toLowerCase()]) ? '##' + s : s; } return (x = { @@ -352,23 +358,22 @@ exports._getPrivFilters = function () { // * http://www.w3.org/TR/CSS21/grammar.html // * http://www.w3.org/TR/css-syntax-3/ // - // NOTE: delimitar in CSS - \ _ : ; ( ) " ' / , % # ! * @ . { } + // NOTE: delimiter in CSS - \ _ : ; ( ) " ' / , % # ! * @ . { } + // 2d 5c 5f 3a 3b 28 29 22 27 2f 2c 25 23 21 2a 40 2e 7b 7d - // CSS_UNQUOTED_CHARS = /[^%#+\-\w\.]/g, yceu: function(s) { - return css(s, CSS_UNQUOTED_CHARS); + s = htmlDecode(s); + return CSS_VALID_VALUE.test(s) ? s : ";-x:'" + cssBlacklist(s.replace(CSS_SINGLE_QUOTED_CHARS, cssEncode)) + "';-v:"; }, // string1 = \"([^\n\r\f\\"]|\\{nl}|\\[^\n\r\f0-9a-f]|\\[0-9a-f]{1,6}(\r\n|[ \n\r\t\f])?)*\" - // CSS_DOUBLE_QUOTED_CHARS = /[\x01-\x1F\x7F\\"]/g, yced: function(s) { - return css(s, CSS_DOUBLE_QUOTED_CHARS); + return cssBlacklist(htmlDecode(s).replace(CSS_DOUBLE_QUOTED_CHARS, cssEncode)); }, // string2 = \'([^\n\r\f\\']|\\{nl}|\\[^\n\r\f0-9a-f]|\\[0-9a-f]{1,6}(\r\n|[ \n\r\t\f])?)*\' - // CSS_SINGLE_QUOTED_CHARS = /[\x01-\x1F\x7F\\']/g, yces: function(s) { - return css(s, CSS_SINGLE_QUOTED_CHARS); + return cssBlacklist(htmlDecode(s).replace(CSS_SINGLE_QUOTED_CHARS, cssEncode)); }, // for url({{{yceuu url}}} @@ -377,19 +382,21 @@ exports._getPrivFilters = function () { // The state machine in CSS 3.0 is more well defined - http://www.w3.org/TR/css-syntax-3/#consume-a-url-token0 // CSS_UNQUOTED_URL = /['\(\)]/g; // " \ treated by encodeURI() yceuu: function(s) { - return cssUrl(s, CSS_UNQUOTED_URL); + return cssUrl(s).replace(CSS_UNQUOTED_URL, function (chr) { + return chr === '\'' ? '\\27 ' : + chr === '(' ? '%28' : + /* chr === ')' ? */ '%29'; + }); }, // for url("{{{yceud url}}} - // CSS_DOUBLE_QUOTED_URL has nothing else to escape (optimized version by chaining with yufull) yceud: function(s) { return cssUrl(s); }, // for url('{{{yceus url}}} - // CSS_SINGLE_QUOTED_URL = /'/g; (optimized version by chaining with yufull) yceus: function(s) { - return cssUrl(s, SQUOT); + return cssUrl(s).replace(SQUOT, '\\27 '); } }); }; diff --git a/dist/xss-filters.min-browserified.js b/dist/xss-filters.min-browserified.js index da1d263..531419d 100644 --- a/dist/xss-filters.min-browserified.js +++ b/dist/xss-filters.min-browserified.js @@ -1,5 +1,5 @@ /** - * xss-filters - v1.2.4 + * xss-filters - v1.2.6 * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ -!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"==typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,b.xssFilters=a()}}(function(){return function a(b,c,d){function e(g,h){if(!c[g]){if(!b[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0);if(f)return f(g,!0);var j=new Error("Cannot find module '"+g+"'");throw j.code="MODULE_NOT_FOUND",j}var k=c[g]={exports:{}};b[g][0].call(k.exports,function(a){var c=b[g][1][a];return e(c?c:a)},k,k.exports,a,b,c,d)}return c[g].exports}for(var f="function"==typeof require&&require,g=0;g=55296&&57343>=c||13===c?"�":f.frCoPt(c)):b[e||g]||a}return b=b||p,c=c||o,void 0===a?"undefined":null===a?"null":a.toString().replace(k,"�").replace(c,e)}function c(a){return"\\"+a.charCodeAt(0).toString(16).toLowerCase()+" "}function d(a,d){return b(a).replace(d,c)}function e(d,e){d=f.yufull(b(d));var g=a(d);return g&&v[g.toLowerCase()]&&(d="##"+d),e?d.replace(e,c):d}var f,g=/])/g,m=/[&<>"'`]/g,n=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,o=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|(Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast|ensp|emsp|thinsp);|(nbsp|amp|AMP|lt|LT|gt|GT|quot|QUOT);?)/g,p={Tab:" ",NewLine:"\n",colon:":",semi:";",lpar:"(",rpar:")",apos:"'",sol:"/",comma:",",excl:"!",ast:"*",midast:"*",ensp:" ",emsp:" ",thinsp:" ",nbsp:" ",amp:"&",lt:"<",gt:">",quot:'"',QUOT:'"'},q=/[^%#+\-\w\.]/g,r=/[\x01-\x1F\x7F\\"]/g,s=/[\x01-\x1F\x7F\\']/g,t=/['\(\)]/g,u=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,v={javascript:1,data:1,vbscript:1,mhtml:1},w=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,x=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,y={Tab:" ",NewLine:"\n"},z=function(a,b,c){return void 0===a?"undefined":null===a?"null":a.toString().replace(b,c)},A=String.fromCodePoint||function(a){return 0===arguments.length?"":65535>=a?String.fromCharCode(a):(a-=65536,String.fromCharCode((a>>10)+55296,a%1024+56320))};return f={frCoPt:function(a){return void 0===a||null===a?"":!isFinite(a=Number(a))||0>=a||a>1114111||a>=1&&8>=a||a>=14&&31>=a||a>=127&&159>=a||a>=64976&&65007>=a||11===a||65535===(65535&a)||65534===(65535&a)?"�":A(a)},d:b,yup:function(c){return c=a(c.replace(k,"")),c?b(c,y,null,!0).replace(x,"").toLowerCase():null},y:function(a){return z(a,m,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},ya:function(a){return z(a,j,"&")},yd:function(a){return z(a,g,"<")},yc:function(a){return z(a,n,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return z(a,h,""")},yavs:function(a){return z(a,i,"'")},yavu:function(a){return z(a,l,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":"="===a?"=":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return v[f.yup(a)]?"x-"+a:a},yufull:function(a){return f.yu(a).replace(u,function(a,b){return"//["+b+"]"})},yublf:function(a){return f.yubl(f.yufull(a))},yceu:function(a){return d(a,q)},yced:function(a){return d(a,r)},yces:function(a){return d(a,s)},yceuu:function(a){return e(a,t)},yceud:function(a){return e(a)},yceus:function(a){return e(a,i)}}};var e=c._privFilters=c._getPrivFilters();c.inHTMLData=e.yd,c.inHTMLComment=e.yc,c.inSingleQuotedAttr=e.yavs,c.inDoubleQuotedAttr=e.yavd,c.inUnQuotedAttr=e.yavu,c.uriInSingleQuotedAttr=function(a){return d(a,e.yavs)},c.uriInDoubleQuotedAttr=function(a){return d(a,e.yavd)},c.uriInUnQuotedAttr=function(a){return d(a,e.yavu)},c.uriInHTMLData=e.yufull,c.uriInHTMLComment=function(a){return e.yc(e.yufull(a))},c.uriPathInSingleQuotedAttr=function(a){return d(a,e.yavs,e.yu)},c.uriPathInDoubleQuotedAttr=function(a){return d(a,e.yavd,e.yu)},c.uriPathInUnQuotedAttr=function(a){return d(a,e.yavu,e.yu)},c.uriPathInHTMLData=e.yu,c.uriPathInHTMLComment=function(a){return e.yc(e.yu(a))},c.uriQueryInSingleQuotedAttr=c.uriPathInSingleQuotedAttr,c.uriQueryInDoubleQuotedAttr=c.uriPathInDoubleQuotedAttr,c.uriQueryInUnQuotedAttr=c.uriPathInUnQuotedAttr,c.uriQueryInHTMLData=c.uriPathInHTMLData,c.uriQueryInHTMLComment=c.uriPathInHTMLComment,c.uriComponentInSingleQuotedAttr=function(a){return e.yavs(e.yuc(a))},c.uriComponentInDoubleQuotedAttr=function(a){return e.yavd(e.yuc(a))},c.uriComponentInUnQuotedAttr=function(a){return e.yavu(e.yuc(a))},c.uriComponentInHTMLData=e.yuc,c.uriComponentInHTMLComment=function(a){return e.yc(e.yuc(a))},c.uriFragmentInSingleQuotedAttr=function(a){return e.yubl(e.yavs(e.yuc(a)))},c.uriFragmentInDoubleQuotedAttr=function(a){return e.yubl(e.yavd(e.yuc(a)))},c.uriFragmentInUnQuotedAttr=function(a){return e.yubl(e.yavu(e.yuc(a)))},c.uriFragmentInHTMLData=c.uriComponentInHTMLData,c.uriFragmentInHTMLComment=c.uriComponentInHTMLComment},{}]},{},[1])(1)}); \ No newline at end of file +!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"==typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,b.xssFilters=a()}}(function(){return function a(b,c,d){function e(g,h){if(!c[g]){if(!b[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0);if(f)return f(g,!0);var j=new Error("Cannot find module '"+g+"'");throw j.code="MODULE_NOT_FOUND",j}var k=c[g]={exports:{}};b[g][0].call(k.exports,function(a){var c=b[g][1][a];return e(c?c:a)},k,k.exports,a,b,c,d)}return c[g].exports}for(var f="function"==typeof require&&require,g=0;g=55296&&57343>=c||13===c?"�":f.frCoPt(c)):b[e||g]||a}return b=b||p,c=c||o,void 0===a?"undefined":null===a?"null":a.toString().replace(k,"�").replace(c,e)}function c(a){return"\\"+a.charCodeAt(0).toString(16).toLowerCase()+" "}function d(a){return a.replace(t,function(a){return"-x-"+a})}function e(c){c=f.yufull(b(c));var d=a(c);return d&&w[d.toLowerCase()]?"##"+c:c}var f,g=/])/g,m=/[&<>"'`]/g,n=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,o=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|(Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast|ensp|emsp|thinsp);|(nbsp|amp|AMP|lt|LT|gt|GT|quot|QUOT);?)/g,p={Tab:" ",NewLine:"\n",colon:":",semi:";",lpar:"(",rpar:")",apos:"'",sol:"/",comma:",",excl:"!",ast:"*",midast:"*",ensp:" ",emsp:" ",thinsp:" ",nbsp:" ",amp:"&",lt:"<",gt:">",quot:'"',QUOT:'"'},q=/^(?:(?!-*expression)#?[-\w]+|[+-]?(?:\d+|\d*\.\d+)(?:r?em|ex|ch|cm|mm|in|px|pt|pc|%|vh|vw|vmin|vmax)?|!important|)$/i,r=/[\x00-\x1F\x7F\[\]{}\\"]/g,s=/[\x00-\x1F\x7F\[\]{}\\']/g,t=/url[\(\u207D\u208D]+/g,u=/['\(\)]/g,v=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,w={javascript:1,data:1,vbscript:1,mhtml:1,"x-schema":1},x=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,y=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,z={Tab:" ",NewLine:"\n"},A=function(a,b,c){return void 0===a?"undefined":null===a?"null":a.toString().replace(b,c)},B=String.fromCodePoint||function(a){return 0===arguments.length?"":65535>=a?String.fromCharCode(a):(a-=65536,String.fromCharCode((a>>10)+55296,a%1024+56320))};return f={frCoPt:function(a){return void 0===a||null===a?"":!isFinite(a=Number(a))||0>=a||a>1114111||a>=1&&8>=a||a>=14&&31>=a||a>=127&&159>=a||a>=64976&&65007>=a||11===a||65535===(65535&a)||65534===(65535&a)?"�":B(a)},d:b,yup:function(c){return c=a(c.replace(k,"")),c?b(c,z,null,!0).replace(y,"").toLowerCase():null},y:function(a){return A(a,m,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},ya:function(a){return A(a,j,"&")},yd:function(a){return A(a,g,"<")},yc:function(a){return A(a,n,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return A(a,h,""")},yavs:function(a){return A(a,i,"'")},yavu:function(a){return A(a,l,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":"="===a?"=":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return w[f.yup(a)]?"x-"+a:a},yufull:function(a){return f.yu(a).replace(v,function(a,b){return"//["+b+"]"})},yublf:function(a){return f.yubl(f.yufull(a))},yceu:function(a){return a=b(a),q.test(a)?a:";-x:'"+d(a.replace(s,c))+"';-v:"},yced:function(a){return d(b(a).replace(r,c))},yces:function(a){return d(b(a).replace(s,c))},yceuu:function(a){return e(a).replace(u,function(a){return"'"===a?"\\27 ":"("===a?"%28":"%29"})},yceud:function(a){return e(a)},yceus:function(a){return e(a).replace(i,"\\27 ")}}};var e=c._privFilters=c._getPrivFilters();c.inHTMLData=e.yd,c.inHTMLComment=e.yc,c.inSingleQuotedAttr=e.yavs,c.inDoubleQuotedAttr=e.yavd,c.inUnQuotedAttr=e.yavu,c.uriInSingleQuotedAttr=function(a){return d(a,e.yavs)},c.uriInDoubleQuotedAttr=function(a){return d(a,e.yavd)},c.uriInUnQuotedAttr=function(a){return d(a,e.yavu)},c.uriInHTMLData=e.yufull,c.uriInHTMLComment=function(a){return e.yc(e.yufull(a))},c.uriPathInSingleQuotedAttr=function(a){return d(a,e.yavs,e.yu)},c.uriPathInDoubleQuotedAttr=function(a){return d(a,e.yavd,e.yu)},c.uriPathInUnQuotedAttr=function(a){return d(a,e.yavu,e.yu)},c.uriPathInHTMLData=e.yu,c.uriPathInHTMLComment=function(a){return e.yc(e.yu(a))},c.uriQueryInSingleQuotedAttr=c.uriPathInSingleQuotedAttr,c.uriQueryInDoubleQuotedAttr=c.uriPathInDoubleQuotedAttr,c.uriQueryInUnQuotedAttr=c.uriPathInUnQuotedAttr,c.uriQueryInHTMLData=c.uriPathInHTMLData,c.uriQueryInHTMLComment=c.uriPathInHTMLComment,c.uriComponentInSingleQuotedAttr=function(a){return e.yavs(e.yuc(a))},c.uriComponentInDoubleQuotedAttr=function(a){return e.yavd(e.yuc(a))},c.uriComponentInUnQuotedAttr=function(a){return e.yavu(e.yuc(a))},c.uriComponentInHTMLData=e.yuc,c.uriComponentInHTMLComment=function(a){return e.yc(e.yuc(a))},c.uriFragmentInSingleQuotedAttr=function(a){return e.yubl(e.yavs(e.yuc(a)))},c.uriFragmentInDoubleQuotedAttr=function(a){return e.yubl(e.yavd(e.yuc(a)))},c.uriFragmentInUnQuotedAttr=function(a){return e.yubl(e.yavu(e.yuc(a)))},c.uriFragmentInHTMLData=c.uriComponentInHTMLData,c.uriFragmentInHTMLComment=c.uriComponentInHTMLComment},{}]},{},[1])(1)}); \ No newline at end of file diff --git a/dist/xss-filters.min.js b/dist/xss-filters.min.js index 1b6efa1..fee017b 100644 --- a/dist/xss-filters.min.js +++ b/dist/xss-filters.min.js @@ -1,5 +1,5 @@ /** - * xss-filters - v1.2.4 + * xss-filters - v1.2.6 * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ -!function(a,b){function c(a,b,c){return d.yubl(b((c||d.yufull)(a)))}b.xssFilters=a,a._getPrivFilters=function(){function a(a){return a=a.split(w,2),2===a.length&&a[0]?a[0]:null}function b(a,b,c,d){function e(a,c,e,g){return c?(c=Number(c[0]<="9"?c:"0"+c),d?A(c):128===c?"€":130===c?"‚":131===c?"ƒ":132===c?"„":133===c?"…":134===c?"†":135===c?"‡":136===c?"ˆ":137===c?"‰":138===c?"Š":139===c?"‹":140===c?"Œ":142===c?"Ž":145===c?"‘":146===c?"’":147===c?"“":148===c?"”":149===c?"•":150===c?"–":151===c?"—":152===c?"˜":153===c?"™":154===c?"š":155===c?"›":156===c?"œ":158===c?"ž":159===c?"Ÿ":c>=55296&&57343>=c||13===c?"�":f.frCoPt(c)):b[e||g]||a}return b=b||p,c=c||o,void 0===a?"undefined":null===a?"null":a.toString().replace(k,"�").replace(c,e)}function c(a){return"\\"+a.charCodeAt(0).toString(16).toLowerCase()+" "}function d(a,d){return b(a).replace(d,c)}function e(d,e){d=f.yufull(b(d));var g=a(d);return g&&v[g.toLowerCase()]&&(d="##"+d),e?d.replace(e,c):d}var f,g=/])/g,m=/[&<>"'`]/g,n=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,o=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|(Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast|ensp|emsp|thinsp);|(nbsp|amp|AMP|lt|LT|gt|GT|quot|QUOT);?)/g,p={Tab:" ",NewLine:"\n",colon:":",semi:";",lpar:"(",rpar:")",apos:"'",sol:"/",comma:",",excl:"!",ast:"*",midast:"*",ensp:" ",emsp:" ",thinsp:" ",nbsp:" ",amp:"&",lt:"<",gt:">",quot:'"',QUOT:'"'},q=/[^%#+\-\w\.]/g,r=/[\x01-\x1F\x7F\\"]/g,s=/[\x01-\x1F\x7F\\']/g,t=/['\(\)]/g,u=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,v={javascript:1,data:1,vbscript:1,mhtml:1},w=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,x=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,y={Tab:" ",NewLine:"\n"},z=function(a,b,c){return void 0===a?"undefined":null===a?"null":a.toString().replace(b,c)},A=String.fromCodePoint||function(a){return 0===arguments.length?"":65535>=a?String.fromCharCode(a):(a-=65536,String.fromCharCode((a>>10)+55296,a%1024+56320))};return f={frCoPt:function(a){return void 0===a||null===a?"":!isFinite(a=Number(a))||0>=a||a>1114111||a>=1&&8>=a||a>=14&&31>=a||a>=127&&159>=a||a>=64976&&65007>=a||11===a||65535===(65535&a)||65534===(65535&a)?"�":A(a)},d:b,yup:function(c){return c=a(c.replace(k,"")),c?b(c,y,null,!0).replace(x,"").toLowerCase():null},y:function(a){return z(a,m,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},ya:function(a){return z(a,j,"&")},yd:function(a){return z(a,g,"<")},yc:function(a){return z(a,n,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return z(a,h,""")},yavs:function(a){return z(a,i,"'")},yavu:function(a){return z(a,l,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":"="===a?"=":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return v[f.yup(a)]?"x-"+a:a},yufull:function(a){return f.yu(a).replace(u,function(a,b){return"//["+b+"]"})},yublf:function(a){return f.yubl(f.yufull(a))},yceu:function(a){return d(a,q)},yced:function(a){return d(a,r)},yces:function(a){return d(a,s)},yceuu:function(a){return e(a,t)},yceud:function(a){return e(a)},yceus:function(a){return e(a,i)}}};var d=a._privFilters=a._getPrivFilters();a.inHTMLData=d.yd,a.inHTMLComment=d.yc,a.inSingleQuotedAttr=d.yavs,a.inDoubleQuotedAttr=d.yavd,a.inUnQuotedAttr=d.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,d.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,d.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,d.yavu)},a.uriInHTMLData=d.yufull,a.uriInHTMLComment=function(a){return d.yc(d.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,d.yavs,d.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,d.yavd,d.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,d.yavu,d.yu)},a.uriPathInHTMLData=d.yu,a.uriPathInHTMLComment=function(a){return d.yc(d.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return d.yavs(d.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return d.yavd(d.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return d.yavu(d.yuc(a))},a.uriComponentInHTMLData=d.yuc,a.uriComponentInHTMLComment=function(a){return d.yc(d.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return d.yubl(d.yavs(d.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return d.yubl(d.yavd(d.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return d.yubl(d.yavu(d.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment}({},function(){return this}()); \ No newline at end of file +!function(a,b){function c(a,b,c){return d.yubl(b((c||d.yufull)(a)))}b.xssFilters=a,a._getPrivFilters=function(){function a(a){return a=a.split(x,2),2===a.length&&a[0]?a[0]:null}function b(a,b,c,d){function e(a,c,e,g){return c?(c=Number(c[0]<="9"?c:"0"+c),d?B(c):128===c?"€":130===c?"‚":131===c?"ƒ":132===c?"„":133===c?"…":134===c?"†":135===c?"‡":136===c?"ˆ":137===c?"‰":138===c?"Š":139===c?"‹":140===c?"Œ":142===c?"Ž":145===c?"‘":146===c?"’":147===c?"“":148===c?"”":149===c?"•":150===c?"–":151===c?"—":152===c?"˜":153===c?"™":154===c?"š":155===c?"›":156===c?"œ":158===c?"ž":159===c?"Ÿ":c>=55296&&57343>=c||13===c?"�":f.frCoPt(c)):b[e||g]||a}return b=b||p,c=c||o,void 0===a?"undefined":null===a?"null":a.toString().replace(k,"�").replace(c,e)}function c(a){return"\\"+a.charCodeAt(0).toString(16).toLowerCase()+" "}function d(a){return a.replace(t,function(a){return"-x-"+a})}function e(c){c=f.yufull(b(c));var d=a(c);return d&&w[d.toLowerCase()]?"##"+c:c}var f,g=/])/g,m=/[&<>"'`]/g,n=/(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g,o=/&(?:#([xX][0-9A-Fa-f]+|\d+);?|(Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast|ensp|emsp|thinsp);|(nbsp|amp|AMP|lt|LT|gt|GT|quot|QUOT);?)/g,p={Tab:" ",NewLine:"\n",colon:":",semi:";",lpar:"(",rpar:")",apos:"'",sol:"/",comma:",",excl:"!",ast:"*",midast:"*",ensp:" ",emsp:" ",thinsp:" ",nbsp:" ",amp:"&",lt:"<",gt:">",quot:'"',QUOT:'"'},q=/^(?:(?!-*expression)#?[-\w]+|[+-]?(?:\d+|\d*\.\d+)(?:r?em|ex|ch|cm|mm|in|px|pt|pc|%|vh|vw|vmin|vmax)?|!important|)$/i,r=/[\x00-\x1F\x7F\[\]{}\\"]/g,s=/[\x00-\x1F\x7F\[\]{}\\']/g,t=/url[\(\u207D\u208D]+/g,u=/['\(\)]/g,v=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,w={javascript:1,data:1,vbscript:1,mhtml:1,"x-schema":1},x=/(?::|&#[xX]0*3[aA];?|�*58;?|:)/,y=/(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,z={Tab:" ",NewLine:"\n"},A=function(a,b,c){return void 0===a?"undefined":null===a?"null":a.toString().replace(b,c)},B=String.fromCodePoint||function(a){return 0===arguments.length?"":65535>=a?String.fromCharCode(a):(a-=65536,String.fromCharCode((a>>10)+55296,a%1024+56320))};return f={frCoPt:function(a){return void 0===a||null===a?"":!isFinite(a=Number(a))||0>=a||a>1114111||a>=1&&8>=a||a>=14&&31>=a||a>=127&&159>=a||a>=64976&&65007>=a||11===a||65535===(65535&a)||65534===(65535&a)?"�":B(a)},d:b,yup:function(c){return c=a(c.replace(k,"")),c?b(c,z,null,!0).replace(y,"").toLowerCase():null},y:function(a){return A(a,m,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"})},ya:function(a){return A(a,j,"&")},yd:function(a){return A(a,g,"<")},yc:function(a){return A(a,n,function(a){return"\x00"===a?"�":"--!"===a||"--"===a||"-"===a||"]"===a?a+" ":a.slice(0,-1)+" >"})},yavd:function(a){return A(a,h,""")},yavs:function(a){return A(a,i,"'")},yavu:function(a){return A(a,l,function(a){return" "===a?" ":"\n"===a?" ":" "===a?" ":"\f"===a?" ":"\r"===a?" ":" "===a?" ":"="===a?"=":"<"===a?"<":">"===a?">":'"'===a?""":"'"===a?"'":"`"===a?"`":"�"})},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return w[f.yup(a)]?"x-"+a:a},yufull:function(a){return f.yu(a).replace(v,function(a,b){return"//["+b+"]"})},yublf:function(a){return f.yubl(f.yufull(a))},yceu:function(a){return a=b(a),q.test(a)?a:";-x:'"+d(a.replace(s,c))+"';-v:"},yced:function(a){return d(b(a).replace(r,c))},yces:function(a){return d(b(a).replace(s,c))},yceuu:function(a){return e(a).replace(u,function(a){return"'"===a?"\\27 ":"("===a?"%28":"%29"})},yceud:function(a){return e(a)},yceus:function(a){return e(a).replace(i,"\\27 ")}}};var d=a._privFilters=a._getPrivFilters();a.inHTMLData=d.yd,a.inHTMLComment=d.yc,a.inSingleQuotedAttr=d.yavs,a.inDoubleQuotedAttr=d.yavd,a.inUnQuotedAttr=d.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,d.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,d.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,d.yavu)},a.uriInHTMLData=d.yufull,a.uriInHTMLComment=function(a){return d.yc(d.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,d.yavs,d.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,d.yavd,d.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,d.yavu,d.yu)},a.uriPathInHTMLData=d.yu,a.uriPathInHTMLComment=function(a){return d.yc(d.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return d.yavs(d.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return d.yavd(d.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return d.yavu(d.yuc(a))},a.uriComponentInHTMLData=d.yuc,a.uriComponentInHTMLComment=function(a){return d.yc(d.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return d.yubl(d.yavs(d.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return d.yubl(d.yavd(d.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return d.yubl(d.yavu(d.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment}({},function(){return this}()); \ No newline at end of file diff --git a/package.json b/package.json index a49a219..2c5a74c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "xss-filters", - "version": "1.2.4", + "version": "1.2.6", "licenses": [ { "type": "BSD",