js-xss Is it possible to preserve case on attributes when filtering XSS?

Is it possible to preserve case on attributes when filtering XSS?

Open ok-martin opened this issue 1 year ago • 0 comments

Is there a way to preserve the case of whitelisted attributes when using filterXSS?

Given this code:

const svgText = "<svg id="Art" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 209.621 248.055"></svg>"

const WHITELIST = {
    svg: ['id', 'xmlns', 'viewBox', 'preserveAspectRatio'],
};

const cleanText = filterXSS(svgText, { whiteList: SVG_TAGS_WHITELIST });

cleanText comes back as <svg viewbox="0 0 209.621 248.055"> instead of <svg viewBox="0 0 209.621 248.055">

I cannot run a specific query that will convert viewbox back to viewBox because it is not the only instance that I need. I have more whitelisted fields and mapping all of them is not feasible.

Feb 22 '24 07:02 ok-martin

js-xss js-xss copied to clipboard

Is it possible to preserve case on attributes when filtering XSS?

js-xss
js-xss copied to clipboard