js-xss
js-xss copied to clipboard
Published
20 hours ago •
leizongmin
leizongmin
Extra "[removed]" appearing in the output
Consider the following code:
const Xss = require('xss')
console.log(
Xss('<meta content="text/html"><style>h1 { color:red; }</style>', {
whiteList: { style: [] },
stripIgnoreTagBody: true
})
)
I believe it should output this:
<style>h1 { color:red; }</style>
But instead it displays this:
[removed]<style>h1 { color:red; }</style>
I'm having this same issue, but actually this is what I see on my end:
- Option 1, no options are passed to the filter
- Option 2, pass
stripIgnoreTagBody: ['script'] - Option 3, in addition to option 2 also define an onTag() to clear the string"
Here is the onTag defincitonl
function onTag(tag) {
if (tag === 'script') {
return "";
}
return undefined;
}
Here are the results:
| case | original data | option 1 output | option 2 output | option 3 output |
|---|---|---|---|---|
| 1 | <script>alert(1)<script> | alert(1) | ||
| 2 | <script/> | [removed] |
case 1, option 2 ... that's an empty string case 2, option 3 ... that's an empty string.
I'm sure there are more options that I can try, but I could not find a configuration that would clear out both strings with one set of options.
