js-xss
js-xss copied to clipboard
leizongmin
MSO tags will be escaped
<!--[if !mso]><!--> Code <!--<![endif]--> is going to be escaped as <!--[if !mso]><!--> Code <!--<![endif]-->
@leizongmin Any Suggestions? Or how to avoid it.
Same for me, I could not make this markup to be escaped properly:
<!--[if !mso]><!-->
<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
<!--<![endif]-->
@leizongmin Thanks for your response!
Given that my options are, say:
{
allowCommentTag: true,
whiteList: {} // say nothing is allowed
}
I would expect it to preserve these comments as is:
<!--[if !mso]><!-->
<!--<![endif]-->
But actual result is:
<!--[if !mso]><!-->
<!--<![endif]-->
While debugging the library, I found that the reason is that the last <!--<![endif]--> is not parsed as a single tag because it has "<" symbol inside, and it triggers new tag parsing here https://github.com/leizongmin/js-xss/blob/master/lib/parser.js#L63
Just for the reference, here are all such tags that are often used for emails markup https://stackoverflow.design/email/base/mso/
@andrey-skl Did you mean that you expect when setting allowCommentTag=true, the content between <!-- and --> is not processed?
@leizongmin in my case, I would like comment tags to stay as is. Sorry, I forgot to mention a "hack" that makes it work like that for me:
onIgnoreTag: (tag, html, options) => {
if (tag.startsWith('!--') || tag.startsWith('![endif')) {
return html;
}
return '';
},
If we drop this hack it renders
<!--[if !mso]><!-->
<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
<!--<![endif]-->
Which maybe is correct, but not what I need.
If you think this is not possible to preserve these comments tags, it's okay