jackbeeby/Job_App
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial Save

Browse Source
This commit is contained in:
jackbeeby
2025-03-28 12:30:19 +11:00
parent e381994f19
commit d8773925e8
9910 changed files with 982718 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
node_modules/xss/LICENSE generated vendored Normal file
View File

@@ -0,0 +1,23 @@
Copyright (c) 2012-2018 Zongmin Lei(雷宗民) <leizongmin@gmail.com>
http://ucdok.com
The MIT License
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

522
node_modules/xss/README.md generated vendored Normal file
View File

@@ -0,0 +1,522 @@
[![NPM version][npm-image]][npm-url]
[![Node.js CI](https://github.com/leizongmin/js-xss/actions/workflows/nodejs.yml/badge.svg)](https://github.com/leizongmin/js-xss/actions/workflows/nodejs.yml)
[![Test coverage][coveralls-image]][coveralls-url]
[![David deps][david-image]][david-url]
[![node version][node-image]][node-url]
[![npm download][download-image]][download-url]
[![npm license][license-image]][download-url]
[npm-image]: https://img.shields.io/npm/v/xss.svg?style=flat-square
[npm-url]: https://npmjs.org/package/xss
[coveralls-image]: https://img.shields.io/coveralls/leizongmin/js-xss.svg?style=flat-square
[coveralls-url]: https://coveralls.io/r/leizongmin/js-xss?branch=master
[david-image]: https://img.shields.io/david/leizongmin/js-xss.svg?style=flat-square
[david-url]: https://david-dm.org/leizongmin/js-xss
[node-image]: https://img.shields.io/badge/node.js-%3E=_0.10-green.svg?style=flat-square
[node-url]: http://nodejs.org/download/
[download-image]: https://img.shields.io/npm/dm/xss.svg?style=flat-square
[download-url]: https://npmjs.org/package/xss
[license-image]: https://img.shields.io/npm/l/xss.svg
# Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist.
[![Greenkeeper badge](https://badges.greenkeeper.io/leizongmin/js-xss.svg)](https://greenkeeper.io/)
![xss](https://nodei.co/npm/xss.png?downloads=true&stars=true)
---
`xss` is a module used to filter input from users to prevent XSS attacks.
([What is XSS attack?](http://en.wikipedia.org/wiki/Cross-site_scripting))
**Project Homepage:** http://jsxss.com
**Try Online:** http://jsxss.com/en/try.html
**[中文版文档](https://github.com/leizongmin/js-xss/blob/master/README.zh.md)**
---
## Features
- Specifies HTML tags and their attributes allowed with whitelist
- Handle any tags or attributes using custom function.
## Reference
- [XSS Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
- [Data URI scheme](http://en.wikipedia.org/wiki/Data_URI_scheme)
- [XSS with Data URI Scheme](http://hi.baidu.com/badzzzz/item/bdbafe83144619c199255f7b)
## Benchmark (for references only)
- the xss module: 22.53 MB/s
- `xss()` function from module `validator@0.3.7`: 6.9 MB/s
For test code please refer to `benchmark` directory.
## They are using xss module
- **nodeclub** - A Node.js bbs using MongoDB - https://github.com/cnodejs/nodeclub
- **cnpmjs.org** - Private npm registry and web for Enterprise - https://github.com/cnpm/cnpmjs.org
- **cocalc.com** - Collaborative Calculation and Data Science - https://cocalc.com
## Install
### NPM
```bash
npm install xss
```
### Bower
```bash
bower install xss
```
Or
```bash
bower install https://github.com/leizongmin/js-xss.git
```
## Usages
### On Node.js
```javascript
var xss = require("xss");
var html = xss('<script>alert("xss");</script>');
console.log(html);
```
### On Browser
Shim mode (reference file `test/test.html`):
```html
<script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
<script>
// apply function filterXSS in the same way
var html = filterXSS('<script>alert("xss");</scr' + "ipt>");
alert(html);
</script>
```
AMD mode - shim:
```html
<script>
require.config({
baseUrl: "./",
paths: {
xss: "https://rawgit.com/leizongmin/js-xss/master/dist/xss.js",
},
shim: {
xss: { exports: "filterXSS" },
},
});
require(["xss"], function (xss) {
var html = xss('<script>alert("xss");</scr' + "ipt>");
alert(html);
});
</script>
```
**Notes: please don't use the URL https://rawgit.com/leizongmin/js-xss/master/dist/xss.js in production environment.**
## Command Line Tool
### Process File
You can use the xss command line tool to process a file. Usage:
```bash
xss -i <input_file> -o <output_file>
```
Example:
```bash
xss -i origin.html -o target.html
```
### Active Test
Run the following command, them you can type HTML
code in the command-line, and check the filtered output:
```bash
xss -t
```
For more details, please run `$ xss -h` to see it.
## Custom filter rules
When using the `xss()` function, the second parameter could be used to specify
custom rules:
```javascript
options = {}; // Custom rules
html = xss('<script>alert("xss");</script>', options);
```
To avoid passing `options` every time, you can also do it in a faster way by
creating a `FilterXSS` instance:
```javascript
options = {}; // Custom rules
myxss = new xss.FilterXSS(options);
// then apply myxss.process()
html = myxss.process('<script>alert("xss");</script>');
```
Details of parameters in `options` would be described below.
### Whitelist
By specifying a `whiteList`, e.g. `{ 'tagName': [ 'attr-1', 'attr-2' ] }`. Tags
and attributes not in the whitelist would be filter out. For example:
```javascript
// only tag a and its attributes href, title, target are allowed
var options = {
whiteList: {
a: ["href", "title", "target"],
},
};
// With the configuration specified above, the following HTML:
// <a href="#" onclick="hello()"><i>Hello</i></a>
// would become:
// <a href="#">&lt;i&gt;Hello&lt;/i&gt;</a>
```
For the default whitelist, please refer `xss.whiteList`.
`allowList` is also supported, and has the same function as `whiteList`.
### Customize the handler function for matched tags
By specifying the handler function with `onTag`:
```javascript
function onTag(tag, html, options) {
// tag is the name of current tag, e.g. 'a' for tag <a>
// html is the HTML of this tag, e.g. '<a>' for tag <a>
// options is some addition informations:
// isWhite boolean, whether the tag is in whitelist
// isClosing boolean, whether the tag is a closing tag, e.g. true for </a>
// position integer, the position of the tag in output result
// sourcePosition integer, the position of the tag in input HTML source
// If a string is returned, the current tag would be replaced with the string
// If return nothing, the default measure would be taken:
// If in whitelist: filter attributes using onTagAttr, as described below
// If not in whitelist: handle by onIgnoreTag, as described below
}
```
### Customize the handler function for attributes of matched tags
By specifying the handler function with `onTagAttr`:
```javascript
function onTagAttr(tag, name, value, isWhiteAttr) {
// tag is the name of current tag, e.g. 'a' for tag <a>
// name is the name of current attribute, e.g. 'href' for href="#"
// isWhiteAttr whether the attribute is in whitelist
// If a string is returned, the attribute would be replaced with the string
// If return nothing, the default measure would be taken:
// If in whitelist: filter the value using safeAttrValue as described below
// If not in whitelist: handle by onIgnoreTagAttr, as described below
}
```
### Customize the handler function for tags not in the whitelist
By specifying the handler function with `onIgnoreTag`:
```javascript
function onIgnoreTag(tag, html, options) {
// Parameters are the same with onTag
// If a string is returned, the tag would be replaced with the string
// If return nothing, the default measure would be taken (specifies using
// escape, as described below)
}
```
### Customize the handler function for attributes not in the whitelist
By specifying the handler function with `onIgnoreTagAttr`:
```javascript
function onIgnoreTagAttr(tag, name, value, isWhiteAttr) {
// Parameters are the same with onTagAttr
// If a string is returned, the value would be replaced with this string
// If return nothing, then keep default (remove the attribute)
}
```
### Customize escaping function for HTML
By specifying the handler function with `escapeHtml`. Following is the default
function **(Modification is not recommended)**:
```javascript
function escapeHtml(html) {
return html.replace(/</g, "&lt;").replace(/>/g, "&gt;");
}
```
### Customize escaping function for value of attributes
By specifying the handler function with `safeAttrValue`:
```javascript
function safeAttrValue(tag, name, value) {
// Parameters are the same with onTagAttr (without options)
// Return the value as a string
}
```
### Customize output attribute value syntax for HTML
By specifying a `singleQuotedAttributeValue`. Use `true` for `'`. Otherwise default `"` will be used
```javascript
var options = {
singleQuotedAttributeValue: true,
};
// With the configuration specified above, the following HTML:
// <a href="#">Hello</a>
// would become:
// <a href='#'>Hello</a>
```
### Customize CSS filter
If you allow the attribute `style`, the value will be processed by [cssfilter](https://github.com/leizongmin/js-css-filter) module. The cssfilter module includes a default css whitelist. You can specify the options for cssfilter module like this:
```javascript
myxss = new xss.FilterXSS({
css: {
whiteList: {
position: /^fixed|relative$/,
top: true,
left: true,
},
},
});
html = myxss.process('<script>alert("xss");</script>');
```
If you don't want to filter out the `style` content, just specify `false` to the `css` option:
```javascript
myxss = new xss.FilterXSS({
css: false,
});
```
For more help, please see https://github.com/leizongmin/js-css-filter
### Quick Start
#### Filter out tags not in the whitelist
By using `stripIgnoreTag` parameter:
- `true` filter out tags not in the whitelist
- `false`: by default: escape the tag using configured `escape` function
Example:
If `stripIgnoreTag = true` is set, the following code:
```html
code:
<script>
alert(/xss/);
</script>
```
would output filtered:
```html
code:alert(/xss/);
```
#### Filter out tags and tag bodies not in the whitelist
By using `stripIgnoreTagBody` parameter:
- `false|null|undefined` by default: do nothing
- `'*'|true`: filter out all tags not in the whitelist
- `['tag1', 'tag2']`: filter out only specified tags not in the whitelist
Example:
If `stripIgnoreTagBody = ['script']` is set, the following code:
```html
code:
<script>
alert(/xss/);
</script>
```
would output filtered:
```html
code:
```
#### Filter out HTML comments
By using `allowCommentTag` parameter:
- `true`: do nothing
- `false` by default: filter out HTML comments
Example:
If `allowCommentTag = false` is set, the following code:
```html
code:<!-- something -->
END
```
would output filtered:
```html
code: END
```
## Examples
### Allow attributes of whitelist tags start with `data-`
```javascript
var source = '<div a="1" b="2" data-a="3" data-b="4">hello</div>';
var html = xss(source, {
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
if (name.substr(0, 5) === "data-") {
// escape its value using built-in escapeAttrValue function
return name + '="' + xss.escapeAttrValue(value) + '"';
}
},
});
console.log("%s\nconvert to:\n%s", source, html);
```
Result:
```html
<div a="1" b="2" data-a="3" data-b="4">hello</div>
convert to:
<div data-a="3" data-b="4">hello</div>
```
### Allow tags start with `x-`
```javascript
var source = "<x><x-1>he<x-2 checked></x-2>wwww</x-1><a>";
var html = xss(source, {
onIgnoreTag: function (tag, html, options) {
if (tag.substr(0, 2) === "x-") {
// do not filter its attributes
return html;
}
},
});
console.log("%s\nconvert to:\n%s", source, html);
```
Result:
```html
<x
><x-1>he<x-2 checked></x-2>wwww</x-1
><a>
convert to: &lt;x&gt;<x-1>he<x-2 checked></x-2>wwww</x-1><a></a></a
></x>
```
### Parse images in HTML
```javascript
var source =
'<img src="img1">a<img src="img2">b<img src="img3">c<img src="img4">d';
var list = [];
var html = xss(source, {
onTagAttr: function (tag, name, value, isWhiteAttr) {
if (tag === "img" && name === "src") {
// Use the built-in friendlyAttrValue function to escape attribute
// values. It supports converting entity tags such as &lt; to printable
// characters such as <
list.push(xss.friendlyAttrValue(value));
}
// Return nothing, means keep the default handling measure
},
});
console.log("image list:\n%s", list.join(", "));
```
Result:
```html
image list: img1, img2, img3, img4
```
### Filter out HTML tags (keeps only plain text)
```javascript
var source = "<strong>hello</strong><script>alert(/xss/);</script>end";
var html = xss(source, {
whiteList: {}, // empty, means filter out all tags
stripIgnoreTag: true, // filter out all HTML not in the whitelist
stripIgnoreTagBody: ["script"], // the script tag is a special case, we need
// to filter out its content
});
console.log("text: %s", html);
```
Result:
```html
text: helloend
```
## License
```text
Copyright (c) 2012-2018 Zongmin Lei(雷宗民) <leizongmin@gmail.com>
http://ucdok.com
The MIT License
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
```

491
node_modules/xss/README.zh.md generated vendored Normal file
View File

@@ -0,0 +1,491 @@
[![NPM version][npm-image]][npm-url]
[![Node.js CI](https://github.com/leizongmin/js-xss/actions/workflows/nodejs.yml/badge.svg)](https://github.com/leizongmin/js-xss/actions/workflows/nodejs.yml)
[![Test coverage][coveralls-image]][coveralls-url]
[![David deps][david-image]][david-url]
[![node version][node-image]][node-url]
[![npm download][download-image]][download-url]
[![npm license][license-image]][download-url]
[npm-image]: https://img.shields.io/npm/v/xss.svg?style=flat-square
[npm-url]: https://npmjs.org/package/xss
[coveralls-image]: https://img.shields.io/coveralls/leizongmin/js-xss.svg?style=flat-square
[coveralls-url]: https://coveralls.io/r/leizongmin/js-xss?branch=master
[david-image]: https://img.shields.io/david/leizongmin/js-xss.svg?style=flat-square
[david-url]: https://david-dm.org/leizongmin/js-xss
[node-image]: https://img.shields.io/badge/node.js-%3E=_0.10-green.svg?style=flat-square
[node-url]: http://nodejs.org/download/
[download-image]: https://img.shields.io/npm/dm/xss.svg?style=flat-square
[download-url]: https://npmjs.org/package/xss
[license-image]: https://img.shields.io/npm/l/xss.svg
# 根据白名单过滤 HTML(防止 XSS 攻击)
![xss](https://nodei.co/npm/xss.png?downloads=true&stars=true)
---
`xss`是一个用于对用户输入的内容进行过滤,以避免遭受 XSS 攻击的模块([什么是 XSS 攻击?](http://baike.baidu.com/view/2161269.htm))。主要用于论坛、博客、网上商店等等一些可允许用户录入页面排版、格式控制相关的 HTML 的场景,`xss`模块通过白名单来控制允许的标签及相关的标签属性,另外还提供了一系列的接口以便用户扩展,比其他同类模块更为灵活。
**项目主页:** http://jsxss.com
**在线测试:** http://jsxss.com/zh/try.html
---
## 特性
- 白名单控制允许的 HTML 标签及各标签的属性
- 通过自定义处理函数,可对任意标签及其属性进行处理
## 参考资料
- [XSS 与字符编码的那些事儿 ---科普文](http://drops.wooyun.org/tips/689)
- [腾讯实例教程:那些年我们一起学 XSS](http://www.wooyun.org/whitehats/%E5%BF%83%E4%BC%A4%E7%9A%84%E7%98%A6%E5%AD%90)
- [mXSS 攻击的成因及常见种类](http://drops.wooyun.org/tips/956)
- [XSS Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
- [Data URI scheme](http://en.wikipedia.org/wiki/Data_URI_scheme)
- [XSS with Data URI Scheme](http://hi.baidu.com/badzzzz/item/bdbafe83144619c199255f7b)
## 性能(仅作参考)
- xss 模块22.53 MB/s
- validator@0.3.7 模块的 xss()函数6.9 MB/s
测试代码参考 benchmark 目录
## 安装
### NPM
```bash
npm install xss
```
### Bower
```bash
bower install xss
```
或者
```bash
bower install https://github.com/leizongmin/js-xss.git
```
## 使用方法
### 在 Node.js 中使用
```javascript
var xss = require("xss");
var html = xss('<script>alert("xss");</script>');
console.log(html);
```
### 在浏览器端使用
Shim 模式(参考文件 `test/test.html`:
```html
<script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
<script>
// 使用函数名 filterXSS用法一样
var html = filterXSS('<script>alert("xss");</scr' + "ipt>");
alert(html);
</script>
```
AMD 模式(参考文件 `test/test_amd.html`:
```html
<script>
require.config({
baseUrl: "./",
paths: {
xss: "https://rawgit.com/leizongmin/js-xss/master/dist/xss.js",
},
shim: {
xss: { exports: "filterXSS" },
},
});
require(["xss"], function (xss) {
var html = xss('<script>alert("xss");</scr' + "ipt>");
alert(html);
});
</script>
```
**说明:请勿将 URL https://rawgit.com/leizongmin/js-xss/master/dist/xss.js 用于生产环境。**
### 使用命令行工具来对文件进行 XSS 处理
### 处理文件
可通过内置的 `xss` 命令来对输入的文件进行 XSS 处理。使用方法:
```bash
xss -i <源文件> -o <目标文件>
```
例:
```bash
xss -i origin.html -o target.html
```
### 在线测试
执行以下命令,可在命令行中输入 HTML 代码,并看到过滤后的代码:
```bash
xss -t
```
详细命令行参数说明,请输入 `$ xss -h` 来查看。
## 自定义过滤规则
在调用 `xss()` 函数进行过滤时,可通过第二个参数来设置自定义规则:
```javascript
options = {}; // 自定义规则
html = xss('<script>alert("xss");</script>', options);
```
如果不想每次都传入一个 `options` 参数,可以创建一个 `FilterXSS` 实例(使用这种方法速度更快):
```
options = {}; // 自定义规则
myxss = new xss.FilterXSS(options);
// 以后直接调用 myxss.process() 来处理即可
html = myxss.process('<script>alert("xss");</script>');
```
`options` 参数的详细说明见下文。
### 白名单
通过 `whiteList` 来指定,格式为:`{'标签名': ['属性1', '属性2']}`。不在白名单上的标签将被过滤,不在白名单上的属性也会被过滤。以下是示例:
```javascript
// 只允许a标签该标签只允许href, title, target这三个属性
var options = {
whiteList: {
a: ["href", "title", "target"],
},
};
// 使用以上配置后下面的HTML
// <a href="#" onclick="hello()"><i>大家好</i></a>
// 将被过滤为
// <a href="#">大家好</a>
```
默认白名单参考 `xss.whiteList`
### 自定义匹配到标签时的处理方法
通过 `onTag` 来指定相应的处理函数。以下是详细说明:
```javascript
function onTag(tag, html, options) {
// tag是当前的标签名称比如<a>标签则tag的值是'a'
// html是该标签的HTML比如<a>标签则html的值是'<a>'
// options是一些附加的信息具体如下
// isWhite boolean类型表示该标签是否在白名单上
// isClosing boolean类型表示该标签是否为闭合标签比如</a>时为true
// position integer类型表示当前标签在输出的结果中的起始位置
// sourcePosition integer类型表示当前标签在原HTML中的起始位置
// 如果返回一个字符串,则当前标签将被替换为该字符串
// 如果不返回任何值,则使用默认的处理方法:
// 在白名单上: 通过onTagAttr来过滤属性详见下文
// 不在白名单上通过onIgnoreTag指定详见下文
}
```
### 自定义匹配到标签的属性时的处理方法
通过 `onTagAttr` 来指定相应的处理函数。以下是详细说明:
```javascript
function onTagAttr(tag, name, value, isWhiteAttr) {
// tag是当前的标签名称比如<a>标签则tag的值是'a'
// name是当前属性的名称比如href="#"则name的值是'href'
// value是当前属性的值比如href="#"则value的值是'#'
// isWhiteAttr是否为白名单上的属性
// 如果返回一个字符串,则当前属性值将被替换为该字符串
// 如果不返回任何值,则使用默认的处理方法
// 在白名单上: 调用safeAttrValue来过滤属性值并输出该属性详见下文
// 不在白名单上通过onIgnoreTagAttr指定详见下文
}
```
### 自定义匹配到不在白名单上的标签时的处理方法
通过 `onIgnoreTag` 来指定相应的处理函数。以下是详细说明:
```javascript
function onIgnoreTag(tag, html, options) {
// 参数说明与onTag相同
// 如果返回一个字符串,则当前标签将被替换为该字符串
// 如果不返回任何值则使用默认的处理方法通过escape指定详见下文
}
```
### 自定义匹配到不在白名单上的属性时的处理方法
通过 `onIgnoreTagAttr` 来指定相应的处理函数。以下是详细说明:
```javascript
function onIgnoreTagAttr(tag, name, value, isWhiteAttr) {
// 参数说明与onTagAttr相同
// 如果返回一个字符串,则当前属性值将被替换为该字符串
// 如果不返回任何值,则使用默认的处理方法(删除该属性)
}
```
### 自定义 HTML 转义函数
通过 `escapeHtml` 来指定相应的处理函数。以下是默认代码 **(不建议修改)**
```javascript
function escapeHtml(html) {
return html.replace(/</g, "&lt;").replace(/>/g, "&gt;");
}
```
### 自定义标签属性值的转义函数
通过 `safeAttrValue` 来指定相应的处理函数。以下是详细说明:
```javascript
function safeAttrValue(tag, name, value) {
// 参数说明与onTagAttr相同没有options参数
// 返回一个字符串表示该属性值
}
```
### 自定义 CSS 过滤器
如果配置中允许了标签的 `style` 属性,则它的值会通过[cssfilter](https://github.com/leizongmin/js-css-filter) 模块处理。
`cssfilter` 模块包含了一个默认的 CSS 白名单,你可以通过以下的方式配置:
```javascript
myxss = new xss.FilterXSS({
css: {
whiteList: {
position: /^fixed|relative$/,
top: true,
left: true,
},
},
});
html = myxss.process('<script>alert("xss");</script>');
```
如果不想使用 CSS 过滤器来处理 `style` 属性的内容,可指定 `css` 选项的值为 `false`
```javascript
myxss = new xss.FilterXSS({
css: false,
});
```
要获取更多的帮助信息可看这里https://github.com/leizongmin/js-css-filter
### 快捷配置
#### 去掉不在白名单上的标签
通过 `stripIgnoreTag` 来设置:
- `true`:去掉不在白名单上的标签
- `false`:(默认),使用配置的`escape`函数对该标签进行转义
示例:
当设置 `stripIgnoreTag = true`时,以下代码
```html
code:
<script>
alert(/xss/);
</script>
```
过滤后将输出
```html
code:alert(/xss/);
```
#### 去掉不在白名单上的标签及标签体
通过 `stripIgnoreTagBody` 来设置:
- `false|null|undefined`:(默认),不特殊处理
- `'*'|true`:去掉所有不在白名单上的标签
- `['tag1', 'tag2']`:仅去掉指定的不在白名单上的标签
示例:
当设置 `stripIgnoreTagBody = ['script']`时,以下代码
```html
code:
<script>
alert(/xss/);
</script>
```
过滤后将输出
```html
code:
```
#### 去掉 HTML 备注
通过 `allowCommentTag` 来设置:
- `true`:不处理
- `false`:(默认),自动去掉 HTML 中的备注
示例:
当设置 `allowCommentTag = false` 时,以下代码
```html
code:<!-- something -->
END
```
过滤后将输出
```html
code: END
```
## 应用实例
### 允许标签以 data-开头的属性
```javascript
var source = '<div a="1" b="2" data-a="3" data-b="4">hello</div>';
var html = xss(source, {
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
if (name.substr(0, 5) === "data-") {
// 通过内置的escapeAttrValue函数来对属性值进行转义
return name + '="' + xss.escapeAttrValue(value) + '"';
}
},
});
console.log("%s\nconvert to:\n%s", source, html);
```
运行结果:
```html
<div a="1" b="2" data-a="3" data-b="4">hello</div>
convert to:
<div data-a="3" data-b="4">hello</div>
```
### 允许名称以 x-开头的标签
```javascript
var source = "<x><x-1>he<x-2 checked></x-2>wwww</x-1><a>";
var html = xss(source, {
onIgnoreTag: function (tag, html, options) {
if (tag.substr(0, 2) === "x-") {
// 不对其属性列表进行过滤
return html;
}
},
});
console.log("%s\nconvert to:\n%s", source, html);
```
运行结果:
```html
<x
><x-1>he<x-2 checked></x-2>wwww</x-1
><a>
convert to: &lt;x&gt;<x-1>he<x-2 checked></x-2>wwww</x-1><a></a></a
></x>
```
### 分析 HTML 代码中的图片列表
```javascript
var source =
'<img src="img1">a<img src="img2">b<img src="img3">c<img src="img4">d';
var list = [];
var html = xss(source, {
onTagAttr: function (tag, name, value, isWhiteAttr) {
if (tag === "img" && name === "src") {
// 使用内置的friendlyAttrValue函数来对属性值进行转义可将&lt;这类的实体标记转换成打印字符<
list.push(xss.friendlyAttrValue(value));
}
// 不返回任何值,表示还是按照默认的方法处理
},
});
console.log("image list:\n%s", list.join(", "));
```
运行结果:
```html
image list: img1, img2, img3, img4
```
### 去除 HTML 标签(只保留文本内容)
```javascript
var source = "<strong>hello</strong><script>alert(/xss/);</script>end";
var html = xss(source, {
whiteList: {}, // 白名单为空,表示过滤所有标签
stripIgnoreTag: true, // 过滤所有非白名单标签的HTML
stripIgnoreTagBody: ["script"], // script标签较特殊需要过滤标签中间的内容
});
console.log("text: %s", html);
```
运行结果:
```html
text: helloend
```
## 授权协议
```text
Copyright (c) 2012-2018 Zongmin Lei(雷宗民) <leizongmin@gmail.com>
http://ucdok.com
The MIT License
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
```

67
node_modules/xss/bin/xss generated vendored Executable file
View File

@@ -0,0 +1,67 @@
#!/usr/bin/env node
/**
* 命令行工具
*
* @author Zongmin Lei<leizongmin@gmail.com>
*/
var fs = require('fs');
var path = require('path');
var program = require('commander');
var xss = require('../');
var packageInfo = require('../package.json');
program
.version(packageInfo.version)
.option('-t, --test', 'active test')
.option('-i, --input <input_file>', 'input file name')
.option('-o, --output <output_file>', 'output filename')
.option('-c, --config <config_file>', 'load custom config')
.option('-s, --strip-ignore-tag', 'set stripIgnoreTag=true')
.option('-b, --strip-ignore-tag-body', 'set stripIgnoreTagBody=true');
program.on('--help', function () {
console.log(' Examples:');
console.log('');
console.log(' $ xss -t');
console.log(' $ xss -i origin.html');
console.log(' $ xss -i origin.html -o targer.html');
console.log(' $ xss -i origin.html -c config.js');
console.log(' $ xss -i origin.html -s');
console.log(' $ xss -i origin.html -s -b');
console.log('');
console.log(' For more details, please see: https://npmjs.org/package/xss')
});
program.parse(process.argv);
if (program.test) {
require('../lib/cli');
return;
}
var config = {};
if (program.config) {
config = require(path.resolve(program.config));
}
if (program.input) {
var input = fs.readFileSync(program.input, 'utf8');
} else {
program.help();
}
if (program['strip-ignore-tag']) {
config.stripIgnoreTag = true;
}
if (program['strip-ignore-tag-body']) {
config.stripIgnoreTagBody = true;
}
var output = xss(input, config);
if (program.output) {
fs.writeFileSync(program.output, output);
} else {
console.log(output);
}

15
node_modules/xss/dist/test.html generated vendored Normal file
View File

@@ -0,0 +1,15 @@
<!doctype html>
<html>
<head>
<title>测试</title>
<meta charset="utf8">
</head>
<body>
<pre id="result"></pre>
</body>
</html>
<script src="xss.js"></script>
<script>
var code = '<script>alert("xss");</' + 'script>';
document.querySelector('#result').innerText = code + '\n被转换成了\n' + filterXSS(code);
</script>

1705
node_modules/xss/dist/xss.js generated vendored Normal file
View File

File diff suppressed because it is too large Load Diff

1
node_modules/xss/dist/xss.min.js generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

45
node_modules/xss/lib/cli.js generated vendored Normal file
View File

@@ -0,0 +1,45 @@
/**
* command line tool
*
* @author Zongmin Lei<leizongmin@gmail.com>
*/
var xss = require("./");
var readline = require("readline");
var rl = readline.createInterface({
input: process.stdin,
output: process.stdout,
});
console.log('Enter a blank line to do xss(), enter "@quit" to exit.\n');
function take(c, n) {
var ret = "";
for (var i = 0; i < n; i++) {
ret += c;
}
return ret;
}
function setPrompt(line) {
line = line.toString();
rl.setPrompt("[" + line + "]" + take(" ", 5 - line.length));
rl.prompt();
}
setPrompt(1);
var html = [];
rl.on("line", function (line) {
if (line === "@quit") return process.exit();
if (line === "") {
console.log("");
console.log(xss(html.join("\r\n")));
console.log("");
html = [];
} else {
html.push(line);
}
setPrompt(html.length + 1);
});

461
node_modules/xss/lib/default.js generated vendored Normal file
View File

@@ -0,0 +1,461 @@
/**
* default settings
*
* @author Zongmin Lei<leizongmin@gmail.com>
*/
var FilterCSS = require("cssfilter").FilterCSS;
var getDefaultCSSWhiteList = require("cssfilter").getDefaultWhiteList;
var _ = require("./util");
function getDefaultWhiteList() {
return {
a: ["target", "href", "title"],
abbr: ["title"],
address: [],
area: ["shape", "coords", "href", "alt"],
article: [],
aside: [],
audio: [
"autoplay",
"controls",
"crossorigin",
"loop",
"muted",
"preload",
"src",
],
b: [],
bdi: ["dir"],
bdo: ["dir"],
big: [],
blockquote: ["cite"],
br: [],
caption: [],
center: [],
cite: [],
code: [],
col: ["align", "valign", "span", "width"],
colgroup: ["align", "valign", "span", "width"],
dd: [],
del: ["datetime"],
details: ["open"],
div: [],
dl: [],
dt: [],
em: [],
figcaption: [],
figure: [],
font: ["color", "size", "face"],
footer: [],
h1: [],
h2: [],
h3: [],
h4: [],
h5: [],
h6: [],
header: [],
hr: [],
i: [],
img: ["src", "alt", "title", "width", "height", "loading"],
ins: ["datetime"],
kbd: [],
li: [],
mark: [],
nav: [],
ol: [],
p: [],
pre: [],
s: [],
section: [],
small: [],
span: [],
sub: [],
summary: [],
sup: [],
strong: [],
strike: [],
table: ["width", "border", "align", "valign"],
tbody: ["align", "valign"],
td: ["width", "rowspan", "colspan", "align", "valign"],
tfoot: ["align", "valign"],
th: ["width", "rowspan", "colspan", "align", "valign"],
thead: ["align", "valign"],
tr: ["rowspan", "align", "valign"],
tt: [],
u: [],
ul: [],
video: [
"autoplay",
"controls",
"crossorigin",
"loop",
"muted",
"playsinline",
"poster",
"preload",
"src",
"height",
"width",
],
};
}
var defaultCSSFilter = new FilterCSS();
/**
* default onTag function
*
* @param {String} tag
* @param {String} html
* @param {Object} options
* @return {String}
*/
function onTag(tag, html, options) {
// do nothing
}
/**
* default onIgnoreTag function
*
* @param {String} tag
* @param {String} html
* @param {Object} options
* @return {String}
*/
function onIgnoreTag(tag, html, options) {
// do nothing
}
/**
* default onTagAttr function
*
* @param {String} tag
* @param {String} name
* @param {String} value
* @return {String}
*/
function onTagAttr(tag, name, value) {
// do nothing
}
/**
* default onIgnoreTagAttr function
*
* @param {String} tag
* @param {String} name
* @param {String} value
* @return {String}
*/
function onIgnoreTagAttr(tag, name, value) {
// do nothing
}
/**
* default escapeHtml function
*
* @param {String} html
*/
function escapeHtml(html) {
return html.replace(REGEXP_LT, "&lt;").replace(REGEXP_GT, "&gt;");
}
/**
* default safeAttrValue function
*
* @param {String} tag
* @param {String} name
* @param {String} value
* @param {Object} cssFilter
* @return {String}
*/
function safeAttrValue(tag, name, value, cssFilter) {
// unescape attribute value firstly
value = friendlyAttrValue(value);
if (name === "href" || name === "src") {
// filter `href` and `src` attribute
// only allow the value that starts with `http://` | `https://` | `mailto:` | `/` | `#`
value = _.trim(value);
if (value === "#") return "#";
if (
!(
value.substr(0, 7) === "http://" ||
value.substr(0, 8) === "https://" ||
value.substr(0, 7) === "mailto:" ||
value.substr(0, 4) === "tel:" ||
value.substr(0, 11) === "data:image/" ||
value.substr(0, 6) === "ftp://" ||
value.substr(0, 2) === "./" ||
value.substr(0, 3) === "../" ||
value[0] === "#" ||
value[0] === "/"
)
) {
return "";
}
} else if (name === "background") {
// filter `background` attribute (maybe no use)
// `javascript:`
REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;
if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) {
return "";
}
} else if (name === "style") {
// `expression()`
REGEXP_DEFAULT_ON_TAG_ATTR_7.lastIndex = 0;
if (REGEXP_DEFAULT_ON_TAG_ATTR_7.test(value)) {
return "";
}
// `url()`
REGEXP_DEFAULT_ON_TAG_ATTR_8.lastIndex = 0;
if (REGEXP_DEFAULT_ON_TAG_ATTR_8.test(value)) {
REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;
if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) {
return "";
}
}
if (cssFilter !== false) {
cssFilter = cssFilter || defaultCSSFilter;
value = cssFilter.process(value);
}
}
// escape `<>"` before returns
value = escapeAttrValue(value);
return value;
}
// RegExp list
var REGEXP_LT = /</g;
var REGEXP_GT = />/g;
var REGEXP_QUOTE = /"/g;
var REGEXP_QUOTE_2 = /&quot;/g;
var REGEXP_ATTR_VALUE_1 = /&#([a-zA-Z0-9]*);?/gim;
var REGEXP_ATTR_VALUE_COLON = /&colon;?/gim;
var REGEXP_ATTR_VALUE_NEWLINE = /&newline;?/gim;
// var REGEXP_DEFAULT_ON_TAG_ATTR_3 = /\/\*|\*\//gm;
var REGEXP_DEFAULT_ON_TAG_ATTR_4 =
/((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/gi;
// var REGEXP_DEFAULT_ON_TAG_ATTR_5 = /^[\s"'`]*(d\s*a\s*t\s*a\s*)\:/gi;
// var REGEXP_DEFAULT_ON_TAG_ATTR_6 = /^[\s"'`]*(d\s*a\s*t\s*a\s*)\:\s*image\//gi;
var REGEXP_DEFAULT_ON_TAG_ATTR_7 =
/e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n\s*\(.*/gi;
var REGEXP_DEFAULT_ON_TAG_ATTR_8 = /u\s*r\s*l\s*\(.*/gi;
/**
* escape double quote
*
* @param {String} str
* @return {String} str
*/
function escapeQuote(str) {
return str.replace(REGEXP_QUOTE, "&quot;");
}
/**
* unescape double quote
*
* @param {String} str
* @return {String} str
*/
function unescapeQuote(str) {
return str.replace(REGEXP_QUOTE_2, '"');
}
/**
* escape html entities
*
* @param {String} str
* @return {String}
*/
function escapeHtmlEntities(str) {
return str.replace(REGEXP_ATTR_VALUE_1, function replaceUnicode(str, code) {
return code[0] === "x" || code[0] === "X"
? String.fromCharCode(parseInt(code.substr(1), 16))
: String.fromCharCode(parseInt(code, 10));
});
}
/**
* escape html5 new danger entities
*
* @param {String} str
* @return {String}
*/
function escapeDangerHtml5Entities(str) {
return str
.replace(REGEXP_ATTR_VALUE_COLON, ":")
.replace(REGEXP_ATTR_VALUE_NEWLINE, " ");
}
/**
* clear nonprintable characters
*
* @param {String} str
* @return {String}
*/
function clearNonPrintableCharacter(str) {
var str2 = "";
for (var i = 0, len = str.length; i < len; i++) {
str2 += str.charCodeAt(i) < 32 ? " " : str.charAt(i);
}
return _.trim(str2);
}
/**
* get friendly attribute value
*
* @param {String} str
* @return {String}
*/
function friendlyAttrValue(str) {
str = unescapeQuote(str);
str = escapeHtmlEntities(str);
str = escapeDangerHtml5Entities(str);
str = clearNonPrintableCharacter(str);
return str;
}
/**
* unescape attribute value
*
* @param {String} str
* @return {String}
*/
function escapeAttrValue(str) {
str = escapeQuote(str);
str = escapeHtml(str);
return str;
}
/**
* `onIgnoreTag` function for removing all the tags that are not in whitelist
*/
function onIgnoreTagStripAll() {
return "";
}
/**
* remove tag body
* specify a `tags` list, if the tag is not in the `tags` list then process by the specify function (optional)
*
* @param {array} tags
* @param {function} next
*/
function StripTagBody(tags, next) {
if (typeof next !== "function") {
next = function () {};
}
var isRemoveAllTag = !Array.isArray(tags);
function isRemoveTag(tag) {
if (isRemoveAllTag) return true;
return _.indexOf(tags, tag) !== -1;
}
var removeList = [];
var posStart = false;
return {
onIgnoreTag: function (tag, html, options) {
if (isRemoveTag(tag)) {
if (options.isClosing) {
var ret = "[/removed]";
var end = options.position + ret.length;
removeList.push([
posStart !== false ? posStart : options.position,
end,
]);
posStart = false;
return ret;
} else {
if (!posStart) {
posStart = options.position;
}
return "[removed]";
}
} else {
return next(tag, html, options);
}
},
remove: function (html) {
var rethtml = "";
var lastPos = 0;
_.forEach(removeList, function (pos) {
rethtml += html.slice(lastPos, pos[0]);
lastPos = pos[1];
});
rethtml += html.slice(lastPos);
return rethtml;
},
};
}
/**
* remove html comments
*
* @param {String} html
* @return {String}
*/
function stripCommentTag(html) {
var retHtml = "";
var lastPos = 0;
while (lastPos < html.length) {
var i = html.indexOf("<!--", lastPos);
if (i === -1) {
retHtml += html.slice(lastPos);
break;
}
retHtml += html.slice(lastPos, i);
var j = html.indexOf("-->", i);
if (j === -1) {
break;
}
lastPos = j + 3;
}
return retHtml;
}
/**
* remove invisible characters
*
* @param {String} html
* @return {String}
*/
function stripBlankChar(html) {
var chars = html.split("");
chars = chars.filter(function (char) {
var c = char.charCodeAt(0);
if (c === 127) return false;
if (c <= 31) {
if (c === 10 || c === 13) return true;
return false;
}
return true;
});
return chars.join("");
}
exports.whiteList = getDefaultWhiteList();
exports.getDefaultWhiteList = getDefaultWhiteList;
exports.onTag = onTag;
exports.onIgnoreTag = onIgnoreTag;
exports.onTagAttr = onTagAttr;
exports.onIgnoreTagAttr = onIgnoreTagAttr;
exports.safeAttrValue = safeAttrValue;
exports.escapeHtml = escapeHtml;
exports.escapeQuote = escapeQuote;
exports.unescapeQuote = unescapeQuote;
exports.escapeHtmlEntities = escapeHtmlEntities;
exports.escapeDangerHtml5Entities = escapeDangerHtml5Entities;
exports.clearNonPrintableCharacter = clearNonPrintableCharacter;
exports.friendlyAttrValue = friendlyAttrValue;
exports.escapeAttrValue = escapeAttrValue;
exports.onIgnoreTagStripAll = onIgnoreTagStripAll;
exports.StripTagBody = StripTagBody;
exports.stripCommentTag = stripCommentTag;
exports.stripBlankChar = stripBlankChar;
exports.attributeWrapSign = '"';
exports.cssFilter = defaultCSSFilter;
exports.getDefaultCSSWhiteList = getDefaultCSSWhiteList;

51
node_modules/xss/lib/index.js generated vendored Normal file
View File

@@ -0,0 +1,51 @@
/**
* xss
*
* @author Zongmin Lei<leizongmin@gmail.com>
*/
var DEFAULT = require("./default");
var parser = require("./parser");
var FilterXSS = require("./xss");
/**
* filter xss function
*
* @param {String} html
* @param {Object} options { whiteList, onTag, onTagAttr, onIgnoreTag, onIgnoreTagAttr, safeAttrValue, escapeHtml }
* @return {String}
*/
function filterXSS(html, options) {
var xss = new FilterXSS(options);
return xss.process(html);
}
exports = module.exports = filterXSS;
exports.filterXSS = filterXSS;
exports.FilterXSS = FilterXSS;
(function () {
for (var i in DEFAULT) {
exports[i] = DEFAULT[i];
}
for (var j in parser) {
exports[j] = parser[j];
}
})();
// using `xss` on the browser, output `filterXSS` to the globals
if (typeof window !== "undefined") {
window.filterXSS = module.exports;
}
// using `xss` on the WebWorker, output `filterXSS` to the globals
function isWorkerEnv() {
return (
typeof self !== "undefined" &&
typeof DedicatedWorkerGlobalScope !== "undefined" &&
self instanceof DedicatedWorkerGlobalScope
);
}
if (isWorkerEnv()) {
self.filterXSS = module.exports;
}

257
node_modules/xss/lib/parser.js generated vendored Normal file
View File

@@ -0,0 +1,257 @@
/**
* Simple HTML Parser
*
* @author Zongmin Lei<leizongmin@gmail.com>
*/
var _ = require("./util");
/**
* get tag name
*
* @param {String} html e.g. '<a hef="#">'
* @return {String}
*/
function getTagName(html) {
var i = _.spaceIndex(html);
var tagName;
if (i === -1) {
tagName = html.slice(1, -1);
} else {
tagName = html.slice(1, i + 1);
}
tagName = _.trim(tagName).toLowerCase();
if (tagName.slice(0, 1) === "/") tagName = tagName.slice(1);
if (tagName.slice(-1) === "/") tagName = tagName.slice(0, -1);
return tagName;
}
/**
* is close tag?
*
* @param {String} html 如:'<a hef="#">'
* @return {Boolean}
*/
function isClosing(html) {
return html.slice(0, 2) === "</";
}
/**
* parse input html and returns processed html
*
* @param {String} html
* @param {Function} onTag e.g. function (sourcePosition, position, tag, html, isClosing)
* @param {Function} escapeHtml
* @return {String}
*/
function parseTag(html, onTag, escapeHtml) {
"use strict";
var rethtml = "";
var lastPos = 0;
var tagStart = false;
var quoteStart = false;
var currentPos = 0;
var len = html.length;
var currentTagName = "";
var currentHtml = "";
chariterator: for (currentPos = 0; currentPos < len; currentPos++) {
var c = html.charAt(currentPos);
if (tagStart === false) {
if (c === "<") {
tagStart = currentPos;
continue;
}
} else {
if (quoteStart === false) {
if (c === "<") {
rethtml += escapeHtml(html.slice(lastPos, currentPos));
tagStart = currentPos;
lastPos = currentPos;
continue;
}
if (c === ">" || currentPos === len - 1) {
rethtml += escapeHtml(html.slice(lastPos, tagStart));
currentHtml = html.slice(tagStart, currentPos + 1);
currentTagName = getTagName(currentHtml);
rethtml += onTag(
tagStart,
rethtml.length,
currentTagName,
currentHtml,
isClosing(currentHtml)
);
lastPos = currentPos + 1;
tagStart = false;
continue;
}
if (c === '"' || c === "'") {
var i = 1;
var ic = html.charAt(currentPos - i);
while (ic.trim() === "" || ic === "=") {
if (ic === "=") {
quoteStart = c;
continue chariterator;
}
ic = html.charAt(currentPos - ++i);
}
}
} else {
if (c === quoteStart) {
quoteStart = false;
continue;
}
}
}
}
if (lastPos < len) {
rethtml += escapeHtml(html.substr(lastPos));
}
return rethtml;
}
var REGEXP_ILLEGAL_ATTR_NAME = /[^a-zA-Z0-9\\_:.-]/gim;
/**
* parse input attributes and returns processed attributes
*
* @param {String} html e.g. `href="#" target="_blank"`
* @param {Function} onAttr e.g. `function (name, value)`
* @return {String}
*/
function parseAttr(html, onAttr) {
"use strict";
var lastPos = 0;
var lastMarkPos = 0;
var retAttrs = [];
var tmpName = false;
var len = html.length;
function addAttr(name, value) {
name = _.trim(name);
name = name.replace(REGEXP_ILLEGAL_ATTR_NAME, "").toLowerCase();
if (name.length < 1) return;
var ret = onAttr(name, value || "");
if (ret) retAttrs.push(ret);
}
// 逐个分析字符
for (var i = 0; i < len; i++) {
var c = html.charAt(i);
var v, j;
if (tmpName === false && c === "=") {
tmpName = html.slice(lastPos, i);
lastPos = i + 1;
lastMarkPos = html.charAt(lastPos) === '"' || html.charAt(lastPos) === "'" ? lastPos : findNextQuotationMark(html, i + 1);
continue;
}
if (tmpName !== false) {
if (
i === lastMarkPos
) {
j = html.indexOf(c, i + 1);
if (j === -1) {
break;
} else {
v = _.trim(html.slice(lastMarkPos + 1, j));
addAttr(tmpName, v);
tmpName = false;
i = j;
lastPos = i + 1;
continue;
}
}
}
if (/\s|\n|\t/.test(c)) {
html = html.replace(/\s|\n|\t/g, " ");
if (tmpName === false) {
j = findNextEqual(html, i);
if (j === -1) {
v = _.trim(html.slice(lastPos, i));
addAttr(v);
tmpName = false;
lastPos = i + 1;
continue;
} else {
i = j - 1;
continue;
}
} else {
j = findBeforeEqual(html, i - 1);
if (j === -1) {
v = _.trim(html.slice(lastPos, i));
v = stripQuoteWrap(v);
addAttr(tmpName, v);
tmpName = false;
lastPos = i + 1;
continue;
} else {
continue;
}
}
}
}
if (lastPos < html.length) {
if (tmpName === false) {
addAttr(html.slice(lastPos));
} else {
addAttr(tmpName, stripQuoteWrap(_.trim(html.slice(lastPos))));
}
}
return _.trim(retAttrs.join(" "));
}
function findNextEqual(str, i) {
for (; i < str.length; i++) {
var c = str[i];
if (c === " ") continue;
if (c === "=") return i;
return -1;
}
}
function findNextQuotationMark(str, i) {
for (; i < str.length; i++) {
var c = str[i];
if (c === " ") continue;
if (c === "'" || c === '"') return i;
return -1;
}
}
function findBeforeEqual(str, i) {
for (; i > 0; i--) {
var c = str[i];
if (c === " ") continue;
if (c === "=") return i;
return -1;
}
}
function isQuoteWrapString(text) {
if (
(text[0] === '"' && text[text.length - 1] === '"') ||
(text[0] === "'" && text[text.length - 1] === "'")
) {
return true;
} else {
return false;
}
}
function stripQuoteWrap(text) {
if (isQuoteWrapString(text)) {
return text.substr(1, text.length - 2);
} else {
return text;
}
}
exports.parseTag = parseTag;
exports.parseAttr = parseAttr;

34
node_modules/xss/lib/util.js generated vendored Normal file
View File

@@ -0,0 +1,34 @@
module.exports = {
indexOf: function (arr, item) {
var i, j;
if (Array.prototype.indexOf) {
return arr.indexOf(item);
}
for (i = 0, j = arr.length; i < j; i++) {
if (arr[i] === item) {
return i;
}
}
return -1;
},
forEach: function (arr, fn, scope) {
var i, j;
if (Array.prototype.forEach) {
return arr.forEach(fn, scope);
}
for (i = 0, j = arr.length; i < j; i++) {
fn.call(scope, arr[i], i, arr);
}
},
trim: function (str) {
if (String.prototype.trim) {
return str.trim();
}
return str.replace(/(^\s*)|(\s*$)/g, "");
},
spaceIndex: function (str) {
var reg = /\s|\n|\t/;
var match = reg.exec(str);
return match ? match.index : -1;
},
};

232
node_modules/xss/lib/xss.js generated vendored Normal file
View File

@@ -0,0 +1,232 @@
/**
* filter xss
*
* @author Zongmin Lei<leizongmin@gmail.com>
*/
var FilterCSS = require("cssfilter").FilterCSS;
var DEFAULT = require("./default");
var parser = require("./parser");
var parseTag = parser.parseTag;
var parseAttr = parser.parseAttr;
var _ = require("./util");
/**
* returns `true` if the input value is `undefined` or `null`
*
* @param {Object} obj
* @return {Boolean}
*/
function isNull(obj) {
return obj === undefined || obj === null;
}
/**
* get attributes for a tag
*
* @param {String} html
* @return {Object}
* - {String} html
* - {Boolean} closing
*/
function getAttrs(html) {
var i = _.spaceIndex(html);
if (i === -1) {
return {
html: "",
closing: html[html.length - 2] === "/",
};
}
html = _.trim(html.slice(i + 1, -1));
var isClosing = html[html.length - 1] === "/";
if (isClosing) html = _.trim(html.slice(0, -1));
return {
html: html,
closing: isClosing,
};
}
/**
* shallow copy
*
* @param {Object} obj
* @return {Object}
*/
function shallowCopyObject(obj) {
var ret = {};
for (var i in obj) {
ret[i] = obj[i];
}
return ret;
}
function keysToLowerCase(obj) {
var ret = {};
for (var i in obj) {
if (Array.isArray(obj[i])) {
ret[i.toLowerCase()] = obj[i].map(function (item) {
return item.toLowerCase();
});
} else {
ret[i.toLowerCase()] = obj[i];
}
}
return ret;
}
/**
* FilterXSS class
*
* @param {Object} options
* whiteList (or allowList), onTag, onTagAttr, onIgnoreTag,
* onIgnoreTagAttr, safeAttrValue, escapeHtml
* stripIgnoreTagBody, allowCommentTag, stripBlankChar
* css{whiteList, onAttr, onIgnoreAttr} `css=false` means don't use `cssfilter`
*/
function FilterXSS(options) {
options = shallowCopyObject(options || {});
if (options.stripIgnoreTag) {
if (options.onIgnoreTag) {
console.error(
'Notes: cannot use these two options "stripIgnoreTag" and "onIgnoreTag" at the same time'
);
}
options.onIgnoreTag = DEFAULT.onIgnoreTagStripAll;
}
if (options.whiteList || options.allowList) {
options.whiteList = keysToLowerCase(options.whiteList || options.allowList);
} else {
options.whiteList = DEFAULT.whiteList;
}
this.attributeWrapSign = options.singleQuotedAttributeValue === true ? "'" : DEFAULT.attributeWrapSign;
options.onTag = options.onTag || DEFAULT.onTag;
options.onTagAttr = options.onTagAttr || DEFAULT.onTagAttr;
options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag;
options.onIgnoreTagAttr = options.onIgnoreTagAttr || DEFAULT.onIgnoreTagAttr;
options.safeAttrValue = options.safeAttrValue || DEFAULT.safeAttrValue;
options.escapeHtml = options.escapeHtml || DEFAULT.escapeHtml;
this.options = options;
if (options.css === false) {
this.cssFilter = false;
} else {
options.css = options.css || {};
this.cssFilter = new FilterCSS(options.css);
}
}
/**
* start process and returns result
*
* @param {String} html
* @return {String}
*/
FilterXSS.prototype.process = function (html) {
// compatible with the input
html = html || "";
html = html.toString();
if (!html) return "";
var me = this;
var options = me.options;
var whiteList = options.whiteList;
var onTag = options.onTag;
var onIgnoreTag = options.onIgnoreTag;
var onTagAttr = options.onTagAttr;
var onIgnoreTagAttr = options.onIgnoreTagAttr;
var safeAttrValue = options.safeAttrValue;
var escapeHtml = options.escapeHtml;
var attributeWrapSign = me.attributeWrapSign;
var cssFilter = me.cssFilter;
// remove invisible characters
if (options.stripBlankChar) {
html = DEFAULT.stripBlankChar(html);
}
// remove html comments
if (!options.allowCommentTag) {
html = DEFAULT.stripCommentTag(html);
}
// if enable stripIgnoreTagBody
var stripIgnoreTagBody = false;
if (options.stripIgnoreTagBody) {
stripIgnoreTagBody = DEFAULT.StripTagBody(
options.stripIgnoreTagBody,
onIgnoreTag
);
onIgnoreTag = stripIgnoreTagBody.onIgnoreTag;
}
var retHtml = parseTag(
html,
function (sourcePosition, position, tag, html, isClosing) {
var info = {
sourcePosition: sourcePosition,
position: position,
isClosing: isClosing,
isWhite: Object.prototype.hasOwnProperty.call(whiteList, tag),
};
// call `onTag()`
var ret = onTag(tag, html, info);
if (!isNull(ret)) return ret;
if (info.isWhite) {
if (info.isClosing) {
return "</" + tag + ">";
}
var attrs = getAttrs(html);
var whiteAttrList = whiteList[tag];
var attrsHtml = parseAttr(attrs.html, function (name, value) {
// call `onTagAttr()`
var isWhiteAttr = _.indexOf(whiteAttrList, name) !== -1;
var ret = onTagAttr(tag, name, value, isWhiteAttr);
if (!isNull(ret)) return ret;
if (isWhiteAttr) {
// call `safeAttrValue()`
value = safeAttrValue(tag, name, value, cssFilter);
if (value) {
return name + '=' + attributeWrapSign + value + attributeWrapSign;
} else {
return name;
}
} else {
// call `onIgnoreTagAttr()`
ret = onIgnoreTagAttr(tag, name, value, isWhiteAttr);
if (!isNull(ret)) return ret;
return;
}
});
// build new tag html
html = "<" + tag;
if (attrsHtml) html += " " + attrsHtml;
if (attrs.closing) html += " /";
html += ">";
return html;
} else {
// call `onIgnoreTag()`
ret = onIgnoreTag(tag, html, info);
if (!isNull(ret)) return ret;
return escapeHtml(html);
}
},
escapeHtml
);
// if enable stripIgnoreTagBody
if (stripIgnoreTagBody) {
retHtml = stripIgnoreTagBody.remove(retHtml);
}
return retHtml;
};
module.exports = FilterXSS;

65
node_modules/xss/package.json generated vendored Normal file
View File

@@ -0,0 +1,65 @@
{
"name": "xss",
"main": "./lib/index.js",
"typings": "./typings/xss.d.ts",
"version": "1.0.15",
"description": "Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist",
"author": "Zongmin Lei <leizongmin@gmail.com> (http://ucdok.com)",
"repository": {
"type": "git",
"url": "git://github.com/leizongmin/js-xss.git"
},
"engines": {
"node": ">= 0.10.0"
},
"dependencies": {
"commander": "^2.20.3",
"cssfilter": "0.0.10"
},
"devDependencies": {
"browserify": "^17.0.0",
"coveralls": "^3.1.1",
"debug": "^4.3.4",
"eslint": "^8.16.0",
"mocha": "^8.4.0",
"nyc": "^15.1.0",
"uglify-js": "^3.15.5"
},
"files": [
"lib",
"bin/xss",
"dist",
"typings/*.d.ts"
],
"bin": {
"xss": "./bin/xss"
},
"scripts": {
"lint": "eslint lib/**",
"test": "export DEBUG=xss:* && mocha -t 5000",
"test-cov": "nyc --reporter=lcov mocha --exit \"test/*.js\" && nyc report",
"coveralls": "cat ./coverage/lcov.info | ./node_modules/coveralls/bin/coveralls.js",
"build": "./bin/build",
"prepublish": "npm run test && npm run build"
},
"license": "MIT",
"bugs": {
"url": "https://github.com/leizongmin/js-xss/issues"
},
"homepage": "https://github.com/leizongmin/js-xss",
"keywords": [
"sanitization",
"xss",
"sanitize",
"sanitisation",
"input",
"security",
"escape",
"encode",
"filter",
"validator",
"html",
"injection",
"whitelist"
]
}

205
node_modules/xss/typings/xss.d.ts generated vendored Normal file
View File

@@ -0,0 +1,205 @@
/**
* xss
*
* @author Zongmin Lei<leizongmin@gmail.com>
*/
declare module "xss" {
global {
function filterXSS(html: string, options?: IFilterXSSOptions): string;
namespace XSS {
export interface IFilterXSSOptions {
allowList?: IWhiteList;
whiteList?: IWhiteList;
onTag?: OnTagHandler;
onTagAttr?: OnTagAttrHandler;
onIgnoreTag?: OnTagHandler;
onIgnoreTagAttr?: OnTagAttrHandler;
safeAttrValue?: SafeAttrValueHandler;
escapeHtml?: EscapeHandler;
stripIgnoreTag?: boolean;
stripIgnoreTagBody?: boolean | string[];
allowCommentTag?: boolean;
stripBlankChar?: boolean;
singleQuotedAttributeValue?: boolean;
css?: {} | boolean;
}
interface IWhiteList extends Record<string, string[] | undefined> {
a?: string[];
abbr?: string[];
address?: string[];
area?: string[];
article?: string[];
aside?: string[];
audio?: string[];
b?: string[];
bdi?: string[];
bdo?: string[];
big?: string[];
blockquote?: string[];
br?: string[];
caption?: string[];
center?: string[];
cite?: string[];
code?: string[];
col?: string[];
colgroup?: string[];
dd?: string[];
del?: string[];
details?: string[];
div?: string[];
dl?: string[];
dt?: string[];
em?: string[];
figure?: string[];
figcaption?: string[];
font?: string[];
footer?: string[];
h1?: string[];
h2?: string[];
h3?: string[];
h4?: string[];
h5?: string[];
h6?: string[];
header?: string[];
hr?: string[];
i?: string[];
img?: string[];
ins?: string[];
li?: string[];
mark?: string[];
nav?: string[];
ol?: string[];
p?: string[];
pre?: string[];
s?: string[];
section?: string[];
small?: string[];
span?: string[];
sub?: string[];
sup?: string[];
strong?: string[];
strike?: string[];
summary?: string[];
table?: string[];
tbody?: string[];
td?: string[];
tfoot?: string[];
th?: string[];
thead?: string[];
tr?: string[];
tt?: string[];
u?: string[];
ul?: string[];
video?: string[];
}
type OnTagHandler = (
tag: string,
html: string,
options: {
sourcePosition?: number;
position?: number;
isClosing?: boolean;
isWhite?: boolean;
}
) => string | void;
type OnTagAttrHandler = (
tag: string,
name: string,
value: string,
isWhiteAttr: boolean
) => string | void;
type SafeAttrValueHandler = (
tag: string,
name: string,
value: string,
cssFilter: ICSSFilter
) => string;
type EscapeHandler = (str: string) => string;
interface ICSSFilter {
process(value: string): string;
}
}
}
export interface IFilterXSSOptions extends XSS.IFilterXSSOptions {}
export interface IWhiteList extends XSS.IWhiteList {}
export type OnTagHandler = XSS.OnTagHandler;
export type OnTagAttrHandler = XSS.OnTagAttrHandler;
export type SafeAttrValueHandler = XSS.SafeAttrValueHandler;
export type EscapeHandler = XSS.EscapeHandler;
export interface ICSSFilter extends XSS.ICSSFilter {}
export function StripTagBody(
tags: string[],
next: () => void
): {
onIgnoreTag(
tag: string,
html: string,
options: {
position: number;
isClosing: boolean;
}
): string;
remove(html: string): string;
};
export class FilterXSS {
constructor(options?: IFilterXSSOptions);
process(html: string): string;
}
export function filterXSS(html: string, options?: IFilterXSSOptions): string;
export function parseTag(
html: string,
onTag: (
sourcePosition: number,
position: number,
tag: string,
html: string,
isClosing: boolean
) => string,
escapeHtml: EscapeHandler
): string;
export function parseAttr(
html: string,
onAttr: (name: string, value: string) => string
): string;
export const whiteList: IWhiteList;
export function getDefaultWhiteList(): IWhiteList;
export const onTag: OnTagHandler;
export const onIgnoreTag: OnTagHandler;
export const onTagAttr: OnTagAttrHandler;
export const onIgnoreTagAttr: OnTagAttrHandler;
export const safeAttrValue: SafeAttrValueHandler;
export const escapeHtml: EscapeHandler;
export const escapeQuote: EscapeHandler;
export const unescapeQuote: EscapeHandler;
export const escapeHtmlEntities: EscapeHandler;
export const escapeDangerHtml5Entities: EscapeHandler;
export const clearNonPrintableCharacter: EscapeHandler;
export const friendlyAttrValue: EscapeHandler;
export const escapeAttrValue: EscapeHandler;
export function onIgnoreTagStripAll(): string;
export const stripCommentTag: EscapeHandler;
export const stripBlankChar: EscapeHandler;
export const attributeWrapSign: string;
export const cssFilter: ICSSFilter;
export function getDefaultCSSWhiteList(): ICSSFilter;
const xss: (html: string, options?: IFilterXSSOptions) => string;
export default xss;
}