js-xss icon indicating copy to clipboard operation
js-xss copied to clipboard

Published 20 hours ago verified publisher icon leizongmin

How to check input string is vulnerable

Open sozakir opened this issue 4 years ago • 1 comments

Hi, I am using js-xss library in my project. I want to check whether a input string is vulnerable using the js-xss library. How can we check whether string would be vulnerable before sanitizing it.

I am checking the input and output string if they are equal then string is not vulnerable otherwise vulnerable.

public static isVulnerable(input: string): boolean {
    input = input.trim();
    const sanitizedString = xss(input, {
        stripIgnoreTag : true,
        stripIgnoreTagBody : ['script'],
        whiteList: {}
    });
    return input !== sanitizedString;
  }

Is there any function in the library which can check whether string is vulnerable.?

because current function fails for this string test < test and return test &lt; test which says it is vulnerable but it is not i guess

sozakir avatar Jan 06 '21 03:01 sozakir

The main function of this module is to filter out illegal HTML code based on a whitelist. If the input contains non-whitelist tags means it is vulnerable, then you can try to setup onIgnoreTag options like this:

var source = '<div a="1" b="2" data-a="3" data-b="4">hello</div>';
var isVulnerable = false;
var html = xss(source, {
  onIgnoreTag: function (tag, html, options)
    isVulnerable = true;
  }
});

leizongmin avatar Jan 18 '21 08:01 leizongmin