js-xss icon indicating copy to clipboard operation
js-xss copied to clipboard

Published 20 hours ago verified publisher icon leizongmin

whiteList does nothing

Open chladnefazole opened this issue 3 years ago • 1 comments

I have whitelist:

	{
		'!doctype': ['html'],
		meta: ['name', 'content', 'charset'],
		html: ['lang'],
		style: [],
		head: [],
		title: [],
		body: ['class'],
		footer: []
	},

But style, head, body, html tags are all being escaped still. table, tr, td, tbody, p, h1, h2 tags are not escaped. Basically, the list does nothing at all.

I am using the library via a CDN and therefore I'm calling the function like so: var cleanHtml = filterXSS(dirtyHtml, sanitizerOptions);

chladnefazole avatar Nov 23 '21 09:11 chladnefazole

Hi, @chladnefazole please try this example code:

var dirtyHtml =
  '<!doctype html><head><meta charset="utf-8" name="xx" content="yy"><title>Test</title><style></style></head><body class="aa"><footer></footer><div></div></body>';
var sanitizerOptions = {
  whiteList: {
    "!doctype": ["html"],
    meta: ["name", "content", "charset"],
    html: ["lang"],
    style: [],
    head: [],
    title: [],
    body: ["class"],
    footer: [],
  },
};
var cleanHtml = filterXSS(dirtyHtml, sanitizerOptions);
console.log(cleanHtml);

we can get the following result:

<!doctype html><head><meta charset="utf-8" name="xx" content="yy"><title>Test</title><style></style></head><body class="aa"><footer></footer>&lt;div&gt;&lt;/div&gt;</body>

leizongmin avatar Dec 05 '21 02:12 leizongmin