Skip to content
This repository has been archived by the owner on Jul 15, 2019. It is now read-only.

Commit

Permalink
release v1.2.6
Browse files Browse the repository at this point in the history
  • Loading branch information
adon committed Jul 29, 2015
1 parent 6d3d2b6 commit 70fd7f3
Show file tree
Hide file tree
Showing 6 changed files with 45 additions and 33 deletions.
2 changes: 1 addition & 1 deletion bower.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "xss-filters",
"version": "1.2.4",
"version": "1.2.6",
"homepage": "https://github.com/yahoo/xss-filters",
"authors": [
"Nera Liu <[email protected]>",
Expand Down
5 changes: 5 additions & 0 deletions dist/xss-filters.1.2.6.min.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

61 changes: 34 additions & 27 deletions dist/xss-filters.js
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,23 @@ exports._getPrivFilters = function () {
var SENSITIVE_HTML_ENTITIES = /&(?:#([xX][0-9A-Fa-f]+|\d+);?|(Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast|ensp|emsp|thinsp);|(nbsp|amp|AMP|lt|LT|gt|GT|quot|QUOT);?)/g,
SENSITIVE_NAMED_REF_MAP = {Tab: '\t', NewLine: '\n', colon: ':', semi: ';', lpar: '(', rpar: ')', apos: '\'', sol: '/', comma: ',', excl: '!', ast: '*', midast: '*', ensp: '\u2002', emsp: '\u2003', thinsp: '\u2009', nbsp: '\xA0', amp: '&', lt: '<', gt: '>', quot: '"', QUOT: '"'};

// TODO: CSS_DANGEROUS_FUNCTION_NAME = /(url\(|expression\()/ig;
var CSS_UNQUOTED_CHARS = /[^%#+\-\w\.]/g,
// \x7F and \x01-\x1F less \x09 are for Safari 5.0
CSS_DOUBLE_QUOTED_CHARS = /[\x01-\x1F\x7F\\"]/g,
CSS_SINGLE_QUOTED_CHARS = /[\x01-\x1F\x7F\\']/g,
// this assumes encodeURI() and encodeURIComponent() has escaped 1-32, 41, 127 for IE8
CSS_UNQUOTED_URL = /['\(\)]/g; // " \ treated by encodeURI()
// var CSS_VALID_VALUE =
// /^(?:
// (?!-*expression)#?[-\w]+
// |[+-]?(?:\d+|\d*\.\d+)(?:em|ex|ch|rem|px|mm|cm|in|pt|pc|%|vh|vw|vmin|vmax)?
// |!important
// | //empty
// )$/i;
var CSS_VALID_VALUE = /^(?:(?!-*expression)#?[-\w]+|[+-]?(?:\d+|\d*\.\d+)(?:r?em|ex|ch|cm|mm|in|px|pt|pc|%|vh|vw|vmin|vmax)?|!important|)$/i,
// TODO: prevent double css escaping by not encoding \ again, but this may require CSS decoding
// \x7F and \x01-\x1F less \x09 are for Safari 5.0, added []{}/* for unbalanced quote
CSS_DOUBLE_QUOTED_CHARS = /[\x00-\x1F\x7F\[\]{}\\"]/g,
CSS_SINGLE_QUOTED_CHARS = /[\x00-\x1F\x7F\[\]{}\\']/g,
// (, \u207D and \u208D can be used in background: 'url(...)' in IE, assumed all \ chars are encoded by QUOTED_CHARS, and null is already replaced with \uFFFD
// otherwise, use this CSS_BLACKLIST instead (enhance it with url matching): /(?:\\?\(|[\u207D\u208D]|\\0{0,4}28 ?|\\0{0,2}20[78][Dd] ?)+/g
CSS_BLACKLIST = /url[\(\u207D\u208D]+/g,
// this assumes encodeURI() and encodeURIComponent() has escaped 1-32, 127 for IE8
CSS_UNQUOTED_URL = /['\(\)]/g; // " \ treated by encodeURI()

// Given a full URI, need to support "[" ( IPv6address ) "]" in URI as per RFC3986
// Reference: https://tools.ietf.org/html/rfc3986
Expand All @@ -46,7 +56,7 @@ exports._getPrivFilters = function () {
// Reference: http://shazzer.co.uk/database/All/Characters-after-javascript-uri
// Reference: https://html.spec.whatwg.org/multipage/syntax.html#consume-a-character-reference
// Reference for named characters: https://html.spec.whatwg.org/multipage/entities.json
var URI_BLACKLIST_PROTOCOLS = {'javascript':1, 'data':1, 'vbscript':1, 'mhtml':1},
var URI_BLACKLIST_PROTOCOLS = {'javascript':1, 'data':1, 'vbscript':1, 'mhtml':1, 'x-schema':1},
URI_PROTOCOL_COLON = /(?::|&#[xX]0*3[aA];?|&#0*58;?|&colon;)/,
URI_PROTOCOL_WHITESPACES = /(?:^[\x00-\x20]+|[\t\n\r\x00]+)/g,
URI_PROTOCOL_NAMED_REF_MAP = {Tab: '\t', NewLine: '\n'};
Expand Down Expand Up @@ -160,20 +170,16 @@ exports._getPrivFilters = function () {
// space after \\HEX is needed by spec
return '\\' + chr.charCodeAt(0).toString(16).toLowerCase() + ' ';
}
function css(s, reSensitiveChars) {
return htmlDecode(s).replace(reSensitiveChars, cssEncode);
function cssBlacklist(s) {
return s.replace(CSS_BLACKLIST, function(m){ return '-x-' + m; });
}
function cssUrl(s, reSensitiveChars) {
function cssUrl(s) {
// encodeURI() in yufull() will throw error for use of the CSS_UNSUPPORTED_CODE_POINT (i.e., [\uD800-\uDFFF])
s = x.yufull(htmlDecode(s));
var protocol = getProtocol(s);

// prefix ## for blacklisted protocols
if (protocol && URI_BLACKLIST_PROTOCOLS[protocol.toLowerCase()]) {
s = '##' + s;
}

return reSensitiveChars ? s.replace(reSensitiveChars, cssEncode) : s;
return (protocol && URI_BLACKLIST_PROTOCOLS[protocol.toLowerCase()]) ? '##' + s : s;
}

return (x = {
Expand Down Expand Up @@ -352,23 +358,22 @@ exports._getPrivFilters = function () {
// * http://www.w3.org/TR/CSS21/grammar.html
// * http://www.w3.org/TR/css-syntax-3/
//
// NOTE: delimitar in CSS - \ _ : ; ( ) " ' / , % # ! * @ . { }
// NOTE: delimiter in CSS - \ _ : ; ( ) " ' / , % # ! * @ . { }
// 2d 5c 5f 3a 3b 28 29 22 27 2f 2c 25 23 21 2a 40 2e 7b 7d

// CSS_UNQUOTED_CHARS = /[^%#+\-\w\.]/g,
yceu: function(s) {
return css(s, CSS_UNQUOTED_CHARS);
s = htmlDecode(s);
return CSS_VALID_VALUE.test(s) ? s : ";-x:'" + cssBlacklist(s.replace(CSS_SINGLE_QUOTED_CHARS, cssEncode)) + "';-v:";
},

// string1 = \"([^\n\r\f\\"]|\\{nl}|\\[^\n\r\f0-9a-f]|\\[0-9a-f]{1,6}(\r\n|[ \n\r\t\f])?)*\"
// CSS_DOUBLE_QUOTED_CHARS = /[\x01-\x1F\x7F\\"]/g,
yced: function(s) {
return css(s, CSS_DOUBLE_QUOTED_CHARS);
return cssBlacklist(htmlDecode(s).replace(CSS_DOUBLE_QUOTED_CHARS, cssEncode));
},

// string2 = \'([^\n\r\f\\']|\\{nl}|\\[^\n\r\f0-9a-f]|\\[0-9a-f]{1,6}(\r\n|[ \n\r\t\f])?)*\'
// CSS_SINGLE_QUOTED_CHARS = /[\x01-\x1F\x7F\\']/g,
yces: function(s) {
return css(s, CSS_SINGLE_QUOTED_CHARS);
return cssBlacklist(htmlDecode(s).replace(CSS_SINGLE_QUOTED_CHARS, cssEncode));
},

// for url({{{yceuu url}}}
Expand All @@ -377,19 +382,21 @@ exports._getPrivFilters = function () {
// The state machine in CSS 3.0 is more well defined - http://www.w3.org/TR/css-syntax-3/#consume-a-url-token0
// CSS_UNQUOTED_URL = /['\(\)]/g; // " \ treated by encodeURI()
yceuu: function(s) {
return cssUrl(s, CSS_UNQUOTED_URL);
return cssUrl(s).replace(CSS_UNQUOTED_URL, function (chr) {
return chr === '\'' ? '\\27 ' :
chr === '(' ? '%28' :
/* chr === ')' ? */ '%29';
});
},

// for url("{{{yceud url}}}
// CSS_DOUBLE_QUOTED_URL has nothing else to escape (optimized version by chaining with yufull)
yceud: function(s) {
return cssUrl(s);
},

// for url('{{{yceus url}}}
// CSS_SINGLE_QUOTED_URL = /'/g; (optimized version by chaining with yufull)
yceus: function(s) {
return cssUrl(s, SQUOT);
return cssUrl(s).replace(SQUOT, '\\27 ');
}
});
};
Expand Down
Loading

0 comments on commit 70fd7f3

Please sign in to comment.