From 81fad85e63162cb04fb877826f353807eb1f670d Mon Sep 17 00:00:00 2001 From: adon Date: Wed, 25 Feb 2015 18:24:27 +0800 Subject: [PATCH] facilitate integration by secure-handlebars-helpers --- bower.json | 2 +- dist/xss-filters.1.0.4.min.js | 5 + dist/xss-filters.js | 4 +- dist/xss-filters.min.js | 4 +- package.json | 2 +- src/xss-filters.js | 558 +++++++++++++++++----------------- tests/unit/xss-filters.js | 1 + 7 files changed, 288 insertions(+), 288 deletions(-) create mode 100644 dist/xss-filters.1.0.4.min.js diff --git a/bower.json b/bower.json index dbdea7a..dc179a5 100644 --- a/bower.json +++ b/bower.json @@ -1,6 +1,6 @@ { "name": "xss-filters", - "version": "1.0.3", + "version": "1.0.4", "homepage": "https://github.com/yahoo/xss-filters", "authors": [ "Nera Liu ", diff --git a/dist/xss-filters.1.0.4.min.js b/dist/xss-filters.1.0.4.min.js new file mode 100644 index 0000000..fed6a17 --- /dev/null +++ b/dist/xss-filters.1.0.4.min.js @@ -0,0 +1,5 @@ +/** + * xss-filters - v1.0.4 + * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. + */ +!function(a,b){function c(a,b,c){return d.yubl(b((c||d.yufull)(a)))}b.xssFilters=a,a._getPrivFilters=function(){var a="undefined",b="null",c=/"']/g,g=/(--!?>|--?!?$|\]>|\]$)/g,h=/^["']/,i=/[\t\n\f >]/g,j=["&","j","J","v","V"],k=null,l="^(?:&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?|�*(?:[1-9]|[1-2][0-9]|30|31|32);?| | )*(?:(?:j|J|&#[xX]0*(?:6|4)[aA];?|�*(?:106|74);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)|(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:b|B|&#[xX]0*(?:6|4)2;?|�*(?:98|66);?))(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:s|S|&#[xX]0*(?:7|5)3;?|�*(?:115|83);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:c|C|&#[xX]0*(?:6|4)3;?|�*(?:99|67);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:r|R|&#[xX]0*(?:7|5)2;?|�*(?:114|82);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:i|I|&#[xX]0*(?:6|4)9;?|�*(?:105|73);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:p|P|&#[xX]0*(?:7|5)0;?|�*(?:112|80);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:t|T|&#[xX]0*(?:7|5)4;?|�*(?:116|84);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?::|&#[xX]0*3[aA];?|�*58;?)",m=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/;return{FILTER_NOT_HANDLE:"y",FILTER_DATA:"yd",FILTER_COMMENT:"yc",FILTER_ATTRIBUTE_VALUE_DOUBLE_QUOTED:"yavd",FILTER_ATTRIBUTE_VALUE_SINGLE_QUOTED:"yavs",FILTER_ATTRIBUTE_VALUE_UNQUOTED:"yavu",FILTER_ENCODE_URI:"yu",FILTER_ENCODE_URI_COMPONENT:"yuc",FILTER_URI_SCHEME_BLACKLIST:"yubl",FILTER_FULL_URI:"yufull",y:function(c){return typeof c===a?a:null===c?b:c.toString().replace(f,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"})},yd:function(d){return typeof d===a?a:null===d?b:d.toString().replace(c,"<")},yc:function(c){return typeof c===a?a:null===c?b:c.toString().replace(g,function(a){return"-->"===a?"-- >":"--!>"===a?"--! >":"--!"===a?"--! ":"--"===a?"-- ":"-"===a?"- ":"]>"===a?"] >":"] "})},yavd:function(c){return typeof c===a?a:null===c?b:c.toString().replace(d,""")},yavs:function(c){return typeof c===a?a:null===c?b:c.toString().replace(e,"'")},yavu:function(c){return typeof c===a?a:null===c?b:(c=c.toString().replace(i,function(a){return" "===a?" ":"\n"===a?" ":"\f"===a?" ":" "===a?" ":">"}),c=c.replace(h,function(a){return'"'===a?""":"'"}),""===c?"\x00":c)},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return-1===j.indexOf(a[0])?a:(null===k&&(k=new RegExp(l)),k.test(a)?"x-"+a:a)},yufull:function(a){return encodeURI(a).replace(m,function(a,b){return"//["+b+"]"})}}};var d=a._privFilters=a._getPrivFilters();a.inHTMLData=d.yd,a.inHTMLComment=d.yc,a.inSingleQuotedAttr=d.yavs,a.inDoubleQuotedAttr=d.yavd,a.inUnQuotedAttr=d.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,d.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,d.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,d.yavu)},a.uriInHTMLData=d.yufull,a.uriInHTMLComment=function(a){return d.yc(d.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,d.yavs,d.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,d.yavd,d.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,d.yavu,d.yu)},a.uriPathInHTMLData=d.yu,a.uriPathInHTMLComment=function(a){return d.yc(d.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return d.yavs(d.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return d.yavd(d.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return d.yavu(d.yuc(a))},a.uriComponentInHTMLData=d.yuc,a.uriComponentInHTMLComment=function(a){return d.yc(d.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return d.yubl(d.yavs(d.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return d.yubl(d.yavd(d.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return d.yubl(d.yavu(d.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment}({},function(){return this}()); \ No newline at end of file diff --git a/dist/xss-filters.js b/dist/xss-filters.js index 0790e57..4d722c1 100644 --- a/dist/xss-filters.js +++ b/dist/xss-filters.js @@ -1,5 +1,5 @@ /** - * xss-filters - v1.0.3 + * xss-filters - v1.0.4 * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ -!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"==typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,b.xssFilters=a()}}(function(){return function a(b,c,d){function e(g,h){if(!c[g]){if(!b[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0);if(f)return f(g,!0);var j=new Error("Cannot find module '"+g+"'");throw j.code="MODULE_NOT_FOUND",j}var k=c[g]={exports:{}};b[g][0].call(k.exports,function(a){var c=b[g][1][a];return e(c?c:a)},k,k.exports,a,b,c,d)}return c[g].exports}for(var f="function"==typeof require&&require,g=0;g"']/g,k=/(--!?>|--?!?$|\]>|\]$)/g,l=/^["']/,m=/[\t\n\f >]/g,n=["&","j","J","v","V"],o=null,p="^(?:&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?|�*(?:[1-9]|[1-2][0-9]|30|31|32);?| | )*(?:(?:j|J|&#[xX]0*(?:6|4)[aA];?|�*(?:106|74);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)|(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:b|B|&#[xX]0*(?:6|4)2;?|�*(?:98|66);?))(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:s|S|&#[xX]0*(?:7|5)3;?|�*(?:115|83);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:c|C|&#[xX]0*(?:6|4)3;?|�*(?:99|67);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:r|R|&#[xX]0*(?:7|5)2;?|�*(?:114|82);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:i|I|&#[xX]0*(?:6|4)9;?|�*(?:105|73);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:p|P|&#[xX]0*(?:7|5)0;?|�*(?:112|80);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:t|T|&#[xX]0*(?:7|5)4;?|�*(?:116|84);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?::|&#[xX]0*3[aA];?|�*58;?)",q=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,r={FILTER_NOT_HANDLE:"y",FILTER_DATA:"yd",FILTER_COMMENT:"yc",FILTER_ATTRIBUTE_VALUE_DOUBLE_QUOTED:"yavd",FILTER_ATTRIBUTE_VALUE_SINGLE_QUOTED:"yavs",FILTER_ATTRIBUTE_VALUE_UNQUOTED:"yavu",FILTER_ENCODE_URI:"yu",FILTER_ENCODE_URI_COMPONENT:"yuc",FILTER_URI_SCHEME_BLACKLIST:"yubl",FILTER_FULL_URI:"yufull",y:function(a){return typeof a===e?e:null===a?f:a.toString().replace(j,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"})},yd:function(a){return typeof a===e?e:null===a?f:a.toString().replace(g,"<")},yc:function(a){return typeof a===e?e:null===a?f:a.toString().replace(k,function(a){return"-->"===a?"-- >":"--!>"===a?"--! >":"--!"===a?"--! ":"--"===a?"-- ":"-"===a?"- ":"]>"===a?"] >":"] "})},yavd:function(a){return typeof a===e?e:null===a?f:a.toString().replace(h,""")},yavs:function(a){return typeof a===e?e:null===a?f:a.toString().replace(i,"'")},yavu:function(a){return typeof a===e?e:null===a?f:(a=a.toString().replace(m,function(a){return" "===a?" ":"\n"===a?" ":"\f"===a?" ":" "===a?" ":">"}),a=a.replace(l,function(a){return'"'===a?""":"'"}),""===a?"\x00":a)},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return-1===n.indexOf(a[0])?a:(null===o&&(o=new RegExp(p)),o.test(a)?"x-"+a:a)},yufull:function(a){return encodeURI(a).replace(q,function(a,b){return"//["+b+"]"})}};c.inHTMLData=r.yd,c.inHTMLComment=r.yc,c.inSingleQuotedAttr=r.yavs,c.inDoubleQuotedAttr=r.yavd,c.inUnQuotedAttr=r.yavu,c.uriInSingleQuotedAttr=function(a){return d(a,r.yavs)},c.uriInDoubleQuotedAttr=function(a){return d(a,r.yavd)},c.uriInUnQuotedAttr=function(a){return d(a,r.yavu)},c.uriInHTMLData=r.yufull,c.uriInHTMLComment=function(a){return r.yc(r.yufull(a))},c.uriPathInSingleQuotedAttr=function(a){return d(a,r.yavs,r.yu)},c.uriPathInDoubleQuotedAttr=function(a){return d(a,r.yavd,r.yu)},c.uriPathInUnQuotedAttr=function(a){return d(a,r.yavu,r.yu)},c.uriPathInHTMLData=r.yu,c.uriPathInHTMLComment=function(a){return r.yc(r.yu(a))},c.uriQueryInSingleQuotedAttr=c.uriPathInSingleQuotedAttr,c.uriQueryInDoubleQuotedAttr=c.uriPathInDoubleQuotedAttr,c.uriQueryInUnQuotedAttr=c.uriPathInUnQuotedAttr,c.uriQueryInHTMLData=c.uriPathInHTMLData,c.uriQueryInHTMLComment=c.uriPathInHTMLComment,c.uriComponentInSingleQuotedAttr=function(a){return r.yavs(r.yuc(a))},c.uriComponentInDoubleQuotedAttr=function(a){return r.yavd(r.yuc(a))},c.uriComponentInUnQuotedAttr=function(a){return r.yavu(r.yuc(a))},c.uriComponentInHTMLData=r.yuc,c.uriComponentInHTMLComment=function(a){return r.yc(r.yuc(a))},c.uriFragmentInSingleQuotedAttr=function(a){return r.yubl(r.yavs(r.yuc(a)))},c.uriFragmentInDoubleQuotedAttr=function(a){return r.yubl(r.yavd(r.yuc(a)))},c.uriFragmentInUnQuotedAttr=function(a){return r.yubl(r.yavu(r.yuc(a)))},c.uriFragmentInHTMLData=c.uriComponentInHTMLData,c.uriFragmentInHTMLComment=c.uriComponentInHTMLComment,c._privFilters=r},{}]},{},[1])(1)}); \ No newline at end of file +!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"==typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,b.xssFilters=a()}}(function(){return function a(b,c,d){function e(g,h){if(!c[g]){if(!b[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0);if(f)return f(g,!0);var j=new Error("Cannot find module '"+g+"'");throw j.code="MODULE_NOT_FOUND",j}var k=c[g]={exports:{}};b[g][0].call(k.exports,function(a){var c=b[g][1][a];return e(c?c:a)},k,k.exports,a,b,c,d)}return c[g].exports}for(var f="function"==typeof require&&require,g=0;g"']/g,g=/(--!?>|--?!?$|\]>|\]$)/g,h=/^["']/,i=/[\t\n\f >]/g,j=["&","j","J","v","V"],k=null,l="^(?:&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?|�*(?:[1-9]|[1-2][0-9]|30|31|32);?| | )*(?:(?:j|J|&#[xX]0*(?:6|4)[aA];?|�*(?:106|74);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)|(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:b|B|&#[xX]0*(?:6|4)2;?|�*(?:98|66);?))(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:s|S|&#[xX]0*(?:7|5)3;?|�*(?:115|83);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:c|C|&#[xX]0*(?:6|4)3;?|�*(?:99|67);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:r|R|&#[xX]0*(?:7|5)2;?|�*(?:114|82);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:i|I|&#[xX]0*(?:6|4)9;?|�*(?:105|73);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:p|P|&#[xX]0*(?:7|5)0;?|�*(?:112|80);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:t|T|&#[xX]0*(?:7|5)4;?|�*(?:116|84);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?::|&#[xX]0*3[aA];?|�*58;?)",m=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/;return{FILTER_NOT_HANDLE:"y",FILTER_DATA:"yd",FILTER_COMMENT:"yc",FILTER_ATTRIBUTE_VALUE_DOUBLE_QUOTED:"yavd",FILTER_ATTRIBUTE_VALUE_SINGLE_QUOTED:"yavs",FILTER_ATTRIBUTE_VALUE_UNQUOTED:"yavu",FILTER_ENCODE_URI:"yu",FILTER_ENCODE_URI_COMPONENT:"yuc",FILTER_URI_SCHEME_BLACKLIST:"yubl",FILTER_FULL_URI:"yufull",y:function(c){return typeof c===a?a:null===c?b:c.toString().replace(f,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"})},yd:function(d){return typeof d===a?a:null===d?b:d.toString().replace(c,"<")},yc:function(c){return typeof c===a?a:null===c?b:c.toString().replace(g,function(a){return"-->"===a?"-- >":"--!>"===a?"--! >":"--!"===a?"--! ":"--"===a?"-- ":"-"===a?"- ":"]>"===a?"] >":"] "})},yavd:function(c){return typeof c===a?a:null===c?b:c.toString().replace(d,""")},yavs:function(c){return typeof c===a?a:null===c?b:c.toString().replace(e,"'")},yavu:function(c){return typeof c===a?a:null===c?b:(c=c.toString().replace(i,function(a){return" "===a?" ":"\n"===a?" ":"\f"===a?" ":" "===a?" ":">"}),c=c.replace(h,function(a){return'"'===a?""":"'"}),""===c?"\x00":c)},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return-1===j.indexOf(a[0])?a:(null===k&&(k=new RegExp(l)),k.test(a)?"x-"+a:a)},yufull:function(a){return encodeURI(a).replace(m,function(a,b){return"//["+b+"]"})}}};var e=c._privFilters=c._getPrivFilters();c.inHTMLData=e.yd,c.inHTMLComment=e.yc,c.inSingleQuotedAttr=e.yavs,c.inDoubleQuotedAttr=e.yavd,c.inUnQuotedAttr=e.yavu,c.uriInSingleQuotedAttr=function(a){return d(a,e.yavs)},c.uriInDoubleQuotedAttr=function(a){return d(a,e.yavd)},c.uriInUnQuotedAttr=function(a){return d(a,e.yavu)},c.uriInHTMLData=e.yufull,c.uriInHTMLComment=function(a){return e.yc(e.yufull(a))},c.uriPathInSingleQuotedAttr=function(a){return d(a,e.yavs,e.yu)},c.uriPathInDoubleQuotedAttr=function(a){return d(a,e.yavd,e.yu)},c.uriPathInUnQuotedAttr=function(a){return d(a,e.yavu,e.yu)},c.uriPathInHTMLData=e.yu,c.uriPathInHTMLComment=function(a){return e.yc(e.yu(a))},c.uriQueryInSingleQuotedAttr=c.uriPathInSingleQuotedAttr,c.uriQueryInDoubleQuotedAttr=c.uriPathInDoubleQuotedAttr,c.uriQueryInUnQuotedAttr=c.uriPathInUnQuotedAttr,c.uriQueryInHTMLData=c.uriPathInHTMLData,c.uriQueryInHTMLComment=c.uriPathInHTMLComment,c.uriComponentInSingleQuotedAttr=function(a){return e.yavs(e.yuc(a))},c.uriComponentInDoubleQuotedAttr=function(a){return e.yavd(e.yuc(a))},c.uriComponentInUnQuotedAttr=function(a){return e.yavu(e.yuc(a))},c.uriComponentInHTMLData=e.yuc,c.uriComponentInHTMLComment=function(a){return e.yc(e.yuc(a))},c.uriFragmentInSingleQuotedAttr=function(a){return e.yubl(e.yavs(e.yuc(a)))},c.uriFragmentInDoubleQuotedAttr=function(a){return e.yubl(e.yavd(e.yuc(a)))},c.uriFragmentInUnQuotedAttr=function(a){return e.yubl(e.yavu(e.yuc(a)))},c.uriFragmentInHTMLData=c.uriComponentInHTMLData,c.uriFragmentInHTMLComment=c.uriComponentInHTMLComment},{}]},{},[1])(1)}); \ No newline at end of file diff --git a/dist/xss-filters.min.js b/dist/xss-filters.min.js index 83c9925..fed6a17 100644 --- a/dist/xss-filters.min.js +++ b/dist/xss-filters.min.js @@ -1,5 +1,5 @@ /** - * xss-filters - v1.0.3 + * xss-filters - v1.0.4 * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. */ -!function(a,b){function c(a,b,c){return q.yubl(b((c||q.yufull)(a)))}b.xssFilters=a;var d="undefined",e="null",f=/"']/g,j=/(--!?>|--?!?$|\]>|\]$)/g,k=/^["']/,l=/[\t\n\f >]/g,m=["&","j","J","v","V"],n=null,o="^(?:&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?|�*(?:[1-9]|[1-2][0-9]|30|31|32);?| | )*(?:(?:j|J|&#[xX]0*(?:6|4)[aA];?|�*(?:106|74);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)|(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:b|B|&#[xX]0*(?:6|4)2;?|�*(?:98|66);?))(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:s|S|&#[xX]0*(?:7|5)3;?|�*(?:115|83);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:c|C|&#[xX]0*(?:6|4)3;?|�*(?:99|67);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:r|R|&#[xX]0*(?:7|5)2;?|�*(?:114|82);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:i|I|&#[xX]0*(?:6|4)9;?|�*(?:105|73);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:p|P|&#[xX]0*(?:7|5)0;?|�*(?:112|80);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:t|T|&#[xX]0*(?:7|5)4;?|�*(?:116|84);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?::|&#[xX]0*3[aA];?|�*58;?)",p=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/,q={FILTER_NOT_HANDLE:"y",FILTER_DATA:"yd",FILTER_COMMENT:"yc",FILTER_ATTRIBUTE_VALUE_DOUBLE_QUOTED:"yavd",FILTER_ATTRIBUTE_VALUE_SINGLE_QUOTED:"yavs",FILTER_ATTRIBUTE_VALUE_UNQUOTED:"yavu",FILTER_ENCODE_URI:"yu",FILTER_ENCODE_URI_COMPONENT:"yuc",FILTER_URI_SCHEME_BLACKLIST:"yubl",FILTER_FULL_URI:"yufull",y:function(a){return typeof a===d?d:null===a?e:a.toString().replace(i,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"})},yd:function(a){return typeof a===d?d:null===a?e:a.toString().replace(f,"<")},yc:function(a){return typeof a===d?d:null===a?e:a.toString().replace(j,function(a){return"-->"===a?"-- >":"--!>"===a?"--! >":"--!"===a?"--! ":"--"===a?"-- ":"-"===a?"- ":"]>"===a?"] >":"] "})},yavd:function(a){return typeof a===d?d:null===a?e:a.toString().replace(g,""")},yavs:function(a){return typeof a===d?d:null===a?e:a.toString().replace(h,"'")},yavu:function(a){return typeof a===d?d:null===a?e:(a=a.toString().replace(l,function(a){return" "===a?" ":"\n"===a?" ":"\f"===a?" ":" "===a?" ":">"}),a=a.replace(k,function(a){return'"'===a?""":"'"}),""===a?"\x00":a)},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return-1===m.indexOf(a[0])?a:(null===n&&(n=new RegExp(o)),n.test(a)?"x-"+a:a)},yufull:function(a){return encodeURI(a).replace(p,function(a,b){return"//["+b+"]"})}};a.inHTMLData=q.yd,a.inHTMLComment=q.yc,a.inSingleQuotedAttr=q.yavs,a.inDoubleQuotedAttr=q.yavd,a.inUnQuotedAttr=q.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,q.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,q.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,q.yavu)},a.uriInHTMLData=q.yufull,a.uriInHTMLComment=function(a){return q.yc(q.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,q.yavs,q.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,q.yavd,q.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,q.yavu,q.yu)},a.uriPathInHTMLData=q.yu,a.uriPathInHTMLComment=function(a){return q.yc(q.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return q.yavs(q.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return q.yavd(q.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return q.yavu(q.yuc(a))},a.uriComponentInHTMLData=q.yuc,a.uriComponentInHTMLComment=function(a){return q.yc(q.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return q.yubl(q.yavs(q.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return q.yubl(q.yavd(q.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return q.yubl(q.yavu(q.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment,a._privFilters=q}({},function(){return this}()); \ No newline at end of file +!function(a,b){function c(a,b,c){return d.yubl(b((c||d.yufull)(a)))}b.xssFilters=a,a._getPrivFilters=function(){var a="undefined",b="null",c=/"']/g,g=/(--!?>|--?!?$|\]>|\]$)/g,h=/^["']/,i=/[\t\n\f >]/g,j=["&","j","J","v","V"],k=null,l="^(?:&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?|�*(?:[1-9]|[1-2][0-9]|30|31|32);?| | )*(?:(?:j|J|&#[xX]0*(?:6|4)[aA];?|�*(?:106|74);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)|(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:b|B|&#[xX]0*(?:6|4)2;?|�*(?:98|66);?))(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:s|S|&#[xX]0*(?:7|5)3;?|�*(?:115|83);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:c|C|&#[xX]0*(?:6|4)3;?|�*(?:99|67);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:r|R|&#[xX]0*(?:7|5)2;?|�*(?:114|82);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:i|I|&#[xX]0*(?:6|4)9;?|�*(?:105|73);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:p|P|&#[xX]0*(?:7|5)0;?|�*(?:112|80);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:t|T|&#[xX]0*(?:7|5)4;?|�*(?:116|84);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?::|&#[xX]0*3[aA];?|�*58;?)",m=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/;return{FILTER_NOT_HANDLE:"y",FILTER_DATA:"yd",FILTER_COMMENT:"yc",FILTER_ATTRIBUTE_VALUE_DOUBLE_QUOTED:"yavd",FILTER_ATTRIBUTE_VALUE_SINGLE_QUOTED:"yavs",FILTER_ATTRIBUTE_VALUE_UNQUOTED:"yavu",FILTER_ENCODE_URI:"yu",FILTER_ENCODE_URI_COMPONENT:"yuc",FILTER_URI_SCHEME_BLACKLIST:"yubl",FILTER_FULL_URI:"yufull",y:function(c){return typeof c===a?a:null===c?b:c.toString().replace(f,function(a){return"&"===a?"&":"<"===a?"<":">"===a?">":'"'===a?""":"'"})},yd:function(d){return typeof d===a?a:null===d?b:d.toString().replace(c,"<")},yc:function(c){return typeof c===a?a:null===c?b:c.toString().replace(g,function(a){return"-->"===a?"-- >":"--!>"===a?"--! >":"--!"===a?"--! ":"--"===a?"-- ":"-"===a?"- ":"]>"===a?"] >":"] "})},yavd:function(c){return typeof c===a?a:null===c?b:c.toString().replace(d,""")},yavs:function(c){return typeof c===a?a:null===c?b:c.toString().replace(e,"'")},yavu:function(c){return typeof c===a?a:null===c?b:(c=c.toString().replace(i,function(a){return" "===a?" ":"\n"===a?" ":"\f"===a?" ":" "===a?" ":">"}),c=c.replace(h,function(a){return'"'===a?""":"'"}),""===c?"\x00":c)},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return-1===j.indexOf(a[0])?a:(null===k&&(k=new RegExp(l)),k.test(a)?"x-"+a:a)},yufull:function(a){return encodeURI(a).replace(m,function(a,b){return"//["+b+"]"})}}};var d=a._privFilters=a._getPrivFilters();a.inHTMLData=d.yd,a.inHTMLComment=d.yc,a.inSingleQuotedAttr=d.yavs,a.inDoubleQuotedAttr=d.yavd,a.inUnQuotedAttr=d.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,d.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,d.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,d.yavu)},a.uriInHTMLData=d.yufull,a.uriInHTMLComment=function(a){return d.yc(d.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,d.yavs,d.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,d.yavd,d.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,d.yavu,d.yu)},a.uriPathInHTMLData=d.yu,a.uriPathInHTMLComment=function(a){return d.yc(d.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return d.yavs(d.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return d.yavd(d.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return d.yavu(d.yuc(a))},a.uriComponentInHTMLData=d.yuc,a.uriComponentInHTMLComment=function(a){return d.yc(d.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return d.yubl(d.yavs(d.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return d.yubl(d.yavd(d.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return d.yubl(d.yavu(d.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment}({},function(){return this}()); \ No newline at end of file diff --git a/package.json b/package.json index d808fd0..94d8bd9 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "xss-filters", - "version": "1.0.3", + "version": "1.0.4", "licenses": [ { "type": "BSD", diff --git a/src/xss-filters.js b/src/xss-filters.js index fc7ccd7..8643ae1 100644 --- a/src/xss-filters.js +++ b/src/xss-filters.js @@ -9,298 +9,298 @@ Authors: Nera Liu */ /*jshint node: true */ -// BEGIN: privFilters +exports._getPrivFilters = function () { -var STR_UD = 'undefined', - STR_NL = 'null', - LT = /"']/g; + var STR_UD = 'undefined', + STR_NL = 'null', + LT = /"']/g; -var COMMENT_SENSITIVE_CHARS = /(--!?>|--?!?$|\]>|\]$)/g; + var COMMENT_SENSITIVE_CHARS = /(--!?>|--?!?$|\]>|\]$)/g; -// Reference: https://html.spec.whatwg.org/multipage/syntax.html#before-attribute-value-state -var BEFORE_ATTR_VALUE_CHARS = /^["']/; -var ATTR_VALUE_UNQUOTED_CHARS = /[\t\n\f >]/g; + // Reference: https://html.spec.whatwg.org/multipage/syntax.html#before-attribute-value-state + var BEFORE_ATTR_VALUE_CHARS = /^["']/; + var ATTR_VALUE_UNQUOTED_CHARS = /[\t\n\f >]/g; + // Reference: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Null_breaks_up_JavaScript_directive + // Reference: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_newline_to_break_up_XSS + // Reference: https://html.spec.whatwg.org/multipage/syntax.html#consume-a-character-reference + // Reference for named characters: https://html.spec.whatwg.org/multipage/entities.json + /* + var URI_BLACKLIST_INTERIM_WHITESPACE = [ + '(?:', + [ + // encodeURI/encodeURIComponent has percentage encoded ASCII chars of decimal 0-32 + // '\u0000', + // '\t', '\n', '\r', // tab, newline, carriage return + '&#[xX]0*[9aAdD];?', // , , in hex + '�*(?:9|10|13);?', // , , in dec + ' ', ' ' // tab, newline in char entities + ].join('|'), + ')*' + ].join(''); + + // delay building the following as an RegExp() object until the first hit + var URI_BLACKLIST, URI_BLACKLIST_REGEXPSTR = [ + + // https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Spaces_and_meta_chars_before_the_JavaScript_in_images_for_XSS + '^(?:', + [ + // encodeURI/encodeURIComponent has percentage encoded ASCII chars of decimal 0-32 + // '\u0001', '\u0002', '\u0003', '\u0004', + // '\u0005', '\u0006', '\u0007', '\u0008', + // '\u0009', '\u000A', '\u000B', '\u000C', + // '\u000D', '\u000E', '\u000F', '\u0010', + // '\u0011', '\u0012', '\u0013', '\u0014', + // '\u0015', '\u0016', '\u0017', '\u0018', + // '\u0019', '\u001A', '\u001B', '\u001C', + // '\u001D', '\u001E', '\u001F', '\u0020', + '&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?', // -20 in hex + '�*(?:[1-9]|[1-2][0-9]|30|31|32);?', // -32 in dec + ' ', ' ' // space, newline in char entities + + ].join('|'), + ')*', + + + // java java java + // JAVA JAVA JAVA + // vb vb vb + // VB VB VB + // script script script + // SCRIPT SCRIPT SCRIPT + // : : : + + // java|vb + '(?:', + [ + // java + [ + '(?:j|J|&#[xX]0*(?:6|4)[aA];?|�*(?:106|74);?)', + '(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)', + '(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)', + '(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)', + ].join(URI_BLACKLIST_INTERIM_WHITESPACE), + // vb + [ + '(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)', + '(?:b|B|&#[xX]0*(?:6|4)2;?|�*(?:98|66);?)' -// Reference: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Null_breaks_up_JavaScript_directive -// Reference: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_newline_to_break_up_XSS -// Reference: https://html.spec.whatwg.org/multipage/syntax.html#consume-a-character-reference -// Reference for named characters: https://html.spec.whatwg.org/multipage/entities.json -/* -var URI_BLACKLIST_INTERIM_WHITESPACE = [ - '(?:', - [ - // encodeURI/encodeURIComponent has percentage encoded ASCII chars of decimal 0-32 - // '\u0000', - // '\t', '\n', '\r', // tab, newline, carriage return - '&#[xX]0*[9aAdD];?', // , , in hex - '�*(?:9|10|13);?', // , , in dec - ' ', ' ' // tab, newline in char entities - ].join('|'), - ')*' -].join(''); - -// delay building the following as an RegExp() object until the first hit -var URI_BLACKLIST, URI_BLACKLIST_REGEXPSTR = [ - - // https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Spaces_and_meta_chars_before_the_JavaScript_in_images_for_XSS - '^(?:', - [ - // encodeURI/encodeURIComponent has percentage encoded ASCII chars of decimal 0-32 - // '\u0001', '\u0002', '\u0003', '\u0004', - // '\u0005', '\u0006', '\u0007', '\u0008', - // '\u0009', '\u000A', '\u000B', '\u000C', - // '\u000D', '\u000E', '\u000F', '\u0010', - // '\u0011', '\u0012', '\u0013', '\u0014', - // '\u0015', '\u0016', '\u0017', '\u0018', - // '\u0019', '\u001A', '\u001B', '\u001C', - // '\u001D', '\u001E', '\u001F', '\u0020', - '&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?', // -20 in hex - '�*(?:[1-9]|[1-2][0-9]|30|31|32);?', // -32 in dec - ' ', ' ' // space, newline in char entities - - ].join('|'), - ')*', - - - // java java java - // JAVA JAVA JAVA - // vb vb vb - // VB VB VB - // script script script - // SCRIPT SCRIPT SCRIPT - // : : : - - // java|vb - '(?:', - [ - // java - [ - '(?:j|J|&#[xX]0*(?:6|4)[aA];?|�*(?:106|74);?)', - '(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)', - '(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)', - '(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)', + ].join(URI_BLACKLIST_INTERIM_WHITESPACE) - ].join(URI_BLACKLIST_INTERIM_WHITESPACE), - // vb + ].join('|'), + ')', + + URI_BLACKLIST_INTERIM_WHITESPACE, + + // script: [ - '(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)', - '(?:b|B|&#[xX]0*(?:6|4)2;?|�*(?:98|66);?)' + '(?:s|S|&#[xX]0*(?:7|5)3;?|�*(?:115|83);?)', + '(?:c|C|&#[xX]0*(?:6|4)3;?|�*(?:99|67);?)', + '(?:r|R|&#[xX]0*(?:7|5)2;?|�*(?:114|82);?)', + '(?:i|I|&#[xX]0*(?:6|4)9;?|�*(?:105|73);?)', + '(?:p|P|&#[xX]0*(?:7|5)0;?|�*(?:112|80);?)', + '(?:t|T|&#[xX]0*(?:7|5)4;?|�*(?:116|84);?)', + '(?:\:|&#[xX]0*3[aA];?|�*58;?)' ].join(URI_BLACKLIST_INTERIM_WHITESPACE) + ].join(''); + */ - ].join('|'), - ')', - - URI_BLACKLIST_INTERIM_WHITESPACE, - - // script: - [ - '(?:s|S|&#[xX]0*(?:7|5)3;?|�*(?:115|83);?)', - '(?:c|C|&#[xX]0*(?:6|4)3;?|�*(?:99|67);?)', - '(?:r|R|&#[xX]0*(?:7|5)2;?|�*(?:114|82);?)', - '(?:i|I|&#[xX]0*(?:6|4)9;?|�*(?:105|73);?)', - '(?:p|P|&#[xX]0*(?:7|5)0;?|�*(?:112|80);?)', - '(?:t|T|&#[xX]0*(?:7|5)4;?|�*(?:116|84);?)', - '(?:\:|&#[xX]0*3[aA];?|�*58;?)' - - ].join(URI_BLACKLIST_INTERIM_WHITESPACE) -].join(''); -*/ - -var URI_SLOWLANE = ['&', 'j', 'J', 'v', 'V'], - URI_BLACKLIST = null, - // delay building URI_BLACKLIST as an RegExp() object until the first hit - // the following str is generated by the above commented logic - URI_BLACKLIST_REGEXPSTR = "^(?:&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?|�*(?:[1-9]|[1-2][0-9]|30|31|32);?| | )*(?:(?:j|J|&#[xX]0*(?:6|4)[aA];?|�*(?:106|74);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)|(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:b|B|&#[xX]0*(?:6|4)2;?|�*(?:98|66);?))(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:s|S|&#[xX]0*(?:7|5)3;?|�*(?:115|83);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:c|C|&#[xX]0*(?:6|4)3;?|�*(?:99|67);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:r|R|&#[xX]0*(?:7|5)2;?|�*(?:114|82);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:i|I|&#[xX]0*(?:6|4)9;?|�*(?:105|73);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:p|P|&#[xX]0*(?:7|5)0;?|�*(?:112|80);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:t|T|&#[xX]0*(?:7|5)4;?|�*(?:116|84);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?::|&#[xX]0*3[aA];?|�*58;?)"; - -// Given a full URI, need to support "[" ( IPv6address ) "]" in URI as per RFC3986 -// Reference: https://tools.ietf.org/html/rfc3986 -var URL_IPV6 = /\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/; - -var privFilters = { - - // TODO: remove the following mappings - FILTER_NOT_HANDLE: "y", - FILTER_DATA: "yd", - FILTER_COMMENT: "yc", - FILTER_ATTRIBUTE_VALUE_DOUBLE_QUOTED: "yavd", - FILTER_ATTRIBUTE_VALUE_SINGLE_QUOTED: "yavs", - FILTER_ATTRIBUTE_VALUE_UNQUOTED: "yavu", - FILTER_ENCODE_URI: "yu", - FILTER_ENCODE_URI_COMPONENT: "yuc", - FILTER_URI_SCHEME_BLACKLIST: "yubl", - FILTER_FULL_URI: "yufull", + var URI_SLOWLANE = ['&', 'j', 'J', 'v', 'V'], + URI_BLACKLIST = null, + // delay building URI_BLACKLIST as an RegExp() object until the first hit + // the following str is generated by the above commented logic + URI_BLACKLIST_REGEXPSTR = "^(?:&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?|�*(?:[1-9]|[1-2][0-9]|30|31|32);?| | )*(?:(?:j|J|&#[xX]0*(?:6|4)[aA];?|�*(?:106|74);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:a|A|&#[xX]0*(?:6|4)1;?|�*(?:97|65);?)|(?:v|V|&#[xX]0*(?:7|5)6;?|�*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:b|B|&#[xX]0*(?:6|4)2;?|�*(?:98|66);?))(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:s|S|&#[xX]0*(?:7|5)3;?|�*(?:115|83);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:c|C|&#[xX]0*(?:6|4)3;?|�*(?:99|67);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:r|R|&#[xX]0*(?:7|5)2;?|�*(?:114|82);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:i|I|&#[xX]0*(?:6|4)9;?|�*(?:105|73);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:p|P|&#[xX]0*(?:7|5)0;?|�*(?:112|80);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?:t|T|&#[xX]0*(?:7|5)4;?|�*(?:116|84);?)(?:&#[xX]0*[9aAdD];?|�*(?:9|10|13);?| | )*(?::|&#[xX]0*3[aA];?|�*58;?)"; - /* - * @param {string} s - An untrusted user input - * @returns {string} s - The original user input with & < > " ' encoded respectively as & < > " and '. - * - * @description - *

This filter is a fallback to use the standard HTML escaping (i.e., encoding &<>"') - * in contexts that are currently not handled by the automatic context-sensitive templating solution.

- * - * Workaround this problem by following the suggestion below: - * Use - * and retrieve your data with document.getElementById('strJS').value. - * - */ - y: function(s) { - return typeof s === STR_UD ? STR_UD - : s === null ? STR_NL - : s.toString() - .replace(SPECIAL_HTML_CHARS, function (m) { - if (m === '&') { return '&'; } - if (m === '<') { return '<'; } - if (m === '>') { return '>'; } - if (m === '"') { return '"'; } - /* if (m === "'") */ return '''; - }); - }, - - // FOR DETAILS, refer to inHTMLData() - // Reference: https://html.spec.whatwg.org/multipage/syntax.html#data-state - yd: function (s) { - return typeof s === STR_UD ? STR_UD - : s === null ? STR_NL - : s.toString() - .replace(LT, '<'); - }, - - // FOR DETAILS, refer to inHTMLComment() - // '-->' and '--!>' are modified as '-- >' and '--! >' so as stop comment state breaking - // for string ends with '--!', '--', or '-' are appended with a space, so as to stop collaborative state breaking at {{s}}>, {{s}}!>, {{s}}-> - // Reference: https://html.spec.whatwg.org/multipage/syntax.html#comment-state - // ']>' and 'ends with ]' patterns deal with IE conditional comments. verified in IE that '] >' can stop that. - // Reference: http://msdn.microsoft.com/en-us/library/ms537512%28v=vs.85%29.aspx - yc: function (s) { - return typeof s === STR_UD ? STR_UD - : s === null ? STR_NL - : s.toString() - .replace(COMMENT_SENSITIVE_CHARS, function(m){ - if (m === '-->') { return '-- >'; } - if (m === '--!>') { return '--! >'; } - if (m === '--!') { return '--! '; } - if (m === '--') { return '-- '; } - if (m === '-') { return '- '; } - if (m === ']>') { return '] >'; } - /*if (m === ']')*/ return '] '; - }); - }, - - // FOR DETAILS, refer to inDoubleQuotedAttr() - // Reference: https://html.spec.whatwg.org/multipage/syntax.html#attribute-value-(double-quoted)-state - yavd: function (s) { - return typeof s === STR_UD ? STR_UD - : s === null ? STR_NL - : s.toString() - .replace(QUOT, '"'); - }, - - // FOR DETAILS, refer to inSingleQuotedAttr() - // Reference: https://html.spec.whatwg.org/multipage/syntax.html#attribute-value-(single-quoted)-state - yavs: function (s) { - return typeof s === STR_UD ? STR_UD - : s === null ? STR_NL - : s.toString() - .replace(SQUOT, '''); - }, - - // FOR DETAILS, refer to inUnQuotedAttr() - // Reference: https://html.spec.whatwg.org/multipage/syntax.html#attribute-value-(unquoted)-state - // Reference: https://html.spec.whatwg.org/multipage/syntax.html#before-attribute-value-state - yavu: function (s) { - if (typeof s === STR_UD) { return STR_UD; } - if (s === null) { return STR_NL; } - - s = s.toString().replace(ATTR_VALUE_UNQUOTED_CHARS, function (m) { - if (m === '\t') { return ' '; } - if (m === '\n') { return ' '; } - if (m === '\f') { return ' '; } // in hex: 0C - if (m === ' ') { return ' '; } // in hex: 20 - /*if (m === '>')*/ return '>'; - }); - - // if s starts with ' or ", encode it resp. as ' or " to enforce the attr value (unquoted) state - // if instead starts with some whitespaces [\t\n\f ] then optionally a quote, - // then the above encoding has already enforced the attr value (unquoted) state - // therefore, no need to encode the quote - // Reference: https://html.spec.whatwg.org/multipage/syntax.html#before-attribute-value-state - s = s.replace(BEFORE_ATTR_VALUE_CHARS, function (m) { - if (m === '"') { return '"'; } - /*if (m === "'")*/ return '''; - }); - - // Inject NULL character if an empty string is encountered in - // unquoted attribute value state. - // - // Example: - // - // - // Rationale 1: our belief is that developers wouldn't expect an - // empty string would result in ' name="firstname"' rendered as - // attribute value, even though this is how HTML5 is specified. - // Rationale 2: an empty string can effectively alter its immediate - // subsequent state, which violates our design principle. As per - // the HTML 5 spec, NULL or \u0000 is the magic character to end - // the comment state, which therefore will not mess up later - // contexts. + // Given a full URI, need to support "[" ( IPv6address ) "]" in URI as per RFC3986 + // Reference: https://tools.ietf.org/html/rfc3986 + var URL_IPV6 = /\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/; + + return { + + // TODO: remove the following mappings + FILTER_NOT_HANDLE: "y", + FILTER_DATA: "yd", + FILTER_COMMENT: "yc", + FILTER_ATTRIBUTE_VALUE_DOUBLE_QUOTED: "yavd", + FILTER_ATTRIBUTE_VALUE_SINGLE_QUOTED: "yavs", + FILTER_ATTRIBUTE_VALUE_UNQUOTED: "yavu", + FILTER_ENCODE_URI: "yu", + FILTER_ENCODE_URI_COMPONENT: "yuc", + FILTER_URI_SCHEME_BLACKLIST: "yubl", + FILTER_FULL_URI: "yufull", + + /* + * @param {string} s - An untrusted user input + * @returns {string} s - The original user input with & < > " ' encoded respectively as & < > " and '. + * + * @description + *

This filter is a fallback to use the standard HTML escaping (i.e., encoding &<>"') + * in contexts that are currently not handled by the automatic context-sensitive templating solution.

+ * + * Workaround this problem by following the suggestion below: + * Use + * and retrieve your data with document.getElementById('strJS').value. + * + */ + y: function(s) { + return typeof s === STR_UD ? STR_UD + : s === null ? STR_NL + : s.toString() + .replace(SPECIAL_HTML_CHARS, function (m) { + if (m === '&') { return '&'; } + if (m === '<') { return '<'; } + if (m === '>') { return '>'; } + if (m === '"') { return '"'; } + /* if (m === "'") */ return '''; + }); + }, + + // FOR DETAILS, refer to inHTMLData() + // Reference: https://html.spec.whatwg.org/multipage/syntax.html#data-state + yd: function (s) { + return typeof s === STR_UD ? STR_UD + : s === null ? STR_NL + : s.toString() + .replace(LT, '<'); + }, + + // FOR DETAILS, refer to inHTMLComment() + // '-->' and '--!>' are modified as '-- >' and '--! >' so as stop comment state breaking + // for string ends with '--!', '--', or '-' are appended with a space, so as to stop collaborative state breaking at {{s}}>, {{s}}!>, {{s}}-> + // Reference: https://html.spec.whatwg.org/multipage/syntax.html#comment-state + // ']>' and 'ends with ]' patterns deal with IE conditional comments. verified in IE that '] >' can stop that. + // Reference: http://msdn.microsoft.com/en-us/library/ms537512%28v=vs.85%29.aspx + yc: function (s) { + return typeof s === STR_UD ? STR_UD + : s === null ? STR_NL + : s.toString() + .replace(COMMENT_SENSITIVE_CHARS, function(m){ + if (m === '-->') { return '-- >'; } + if (m === '--!>') { return '--! >'; } + if (m === '--!') { return '--! '; } + if (m === '--') { return '-- '; } + if (m === '-') { return '- '; } + if (m === ']>') { return '] >'; } + /*if (m === ']')*/ return '] '; + }); + }, + + // FOR DETAILS, refer to inDoubleQuotedAttr() + // Reference: https://html.spec.whatwg.org/multipage/syntax.html#attribute-value-(double-quoted)-state + yavd: function (s) { + return typeof s === STR_UD ? STR_UD + : s === null ? STR_NL + : s.toString() + .replace(QUOT, '"'); + }, + + // FOR DETAILS, refer to inSingleQuotedAttr() + // Reference: https://html.spec.whatwg.org/multipage/syntax.html#attribute-value-(single-quoted)-state + yavs: function (s) { + return typeof s === STR_UD ? STR_UD + : s === null ? STR_NL + : s.toString() + .replace(SQUOT, '''); + }, + + // FOR DETAILS, refer to inUnQuotedAttr() + // Reference: https://html.spec.whatwg.org/multipage/syntax.html#attribute-value-(unquoted)-state // Reference: https://html.spec.whatwg.org/multipage/syntax.html#before-attribute-value-state - return (s === '') ? '\u0000' : s; - }, - - yu: encodeURI, - yuc: encodeURIComponent, - - /* - * ============================= - * Rationale on data: protocol - * ============================= - * Given there're two execution possibilities: - * 1. data:text/html, in <(i)frame>'s src - * expected script execution but it's of a different origin than the included page. hence not CROSS-SITE scripting - * 2. data:application/javascript,alert(1) or data:,alert(1) in in <(i)frame>'s src + * expected script execution but it's of a different origin than the included page. hence not CROSS-SITE scripting + * 2. data:application/javascript,alert(1) or data:,alert(1) in