Skip to content

Commit

Permalink
Remove the XSS filter.
Browse files Browse the repository at this point in the history
The xss() function was originally a port of the XSS filter from
CodeIgniter. I added it to the library because there wasn't an
alternative at the time. Unfortunately I don't have the time or
expertise to maintain the XSS filter or keep merging upstream
changes.

If you need one for your app, I suggest looking at Caja sanitisation
engine maintained by Google. (https://code.google.com/p/google-caja/
source/browse/trunk/src/com/google/caja/plugin/html-sanitizer.js)

Closes #123, #138, #181, #206, #210, #221, #223, #226, #227, #231, #232
  • Loading branch information
chriso committed Oct 31, 2013
1 parent afd1a45 commit 2d5d699
Show file tree
Hide file tree
Showing 7 changed files with 3 additions and 482 deletions.
5 changes: 0 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,6 @@ var int = sanitize('0123').toInt(); //123
var bool = sanitize('true').toBoolean(); //true
var str = sanitize(' \t\r hello \n').trim(); //'hello'
var str = sanitize('aaaaaaaaab').ltrim('a'); //'b'
var str = sanitize(large_input_str).xss();
var str = sanitize('&lt;a&gt;').entityDecode(); //'<a>'
```

Expand All @@ -58,7 +57,6 @@ get('/', function (req, res) {
req.checkHeader('referer').contains('localhost');

//Sanitize user input
req.sanitize('textarea').xss();
req.sanitize('foo').toBoolean();

//etc.
Expand Down Expand Up @@ -130,8 +128,6 @@ toBooleanStrict() //False unless str = '1' or 'true'
entityDecode() //Decode HTML entities
entityEncode()
escape() //Escape &, <, >, and "
xss() //Remove common XSS attack vectors from user-supplied HTML
xss(true) //Remove common XSS attack vectors from images
```

## Extending the library
Expand Down Expand Up @@ -221,7 +217,6 @@ var errors = validator.getErrors(); // ['Invalid email', 'String is too small']
- [oris](https://github.com/orls) - Added in()
- [mren](https://github.com/mren) - Decoupled rules
- [Thorsten Basse](https://github.com/tbasse) - Cleanup and refinement of existing validators
- [Neal Poole](https://github.com/nealpoole) - Port the latest xss() updates from CodeIgniter

## LICENSE

Expand Down
6 changes: 0 additions & 6 deletions lib/filter.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
var entities = require('./entities');
var xss = require('./xss');

var Filter = exports.Filter = function() {}

Expand Down Expand Up @@ -28,11 +27,6 @@ Filter.prototype.convert = Filter.prototype.sanitize = function(str) {
return this;
}

Filter.prototype.xss = function(is_image) {
this.modify(xss.clean(this.str, is_image));
return this.wrap(this.str);
}

Filter.prototype.entityDecode = function() {
this.modify(entities.decode(this.str));
return this.wrap(this.str);
Expand Down
228 changes: 0 additions & 228 deletions lib/xss.js

This file was deleted.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"description" : "Data validation, filtering and sanitization for node.js",
"version" : "1.5.1",
"homepage" : "http://github.com/chriso/node-validator",
"keywords" : ["validator", "validation", "assert", "params", "sanitization", "xss", "entities", "sanitize", "sanitisation", "input"],
"keywords" : ["validator", "validation", "assert", "params", "sanitization", "entities", "sanitize", "sanitisation", "input"],
"author" : "Chris O'Hara <[email protected]>",
"main" : "./lib",
"directories" : { "lib" : "./lib" },
Expand Down
33 changes: 0 additions & 33 deletions test/filter.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -132,39 +132,6 @@ module.exports = {
assert.equal('&frac12;', Filter.sanitize('Β½').entityEncode());
},

'test #xss()': function () {
//Need more tests!
assert.equal('[removed] foobar', Filter.sanitize('javascript : foobar').xss());
assert.equal('[removed] foobar', Filter.sanitize('j a vasc ri pt: foobar').xss());
assert.equal('<a >some text</a>', Filter.sanitize('<a href="javascript:alert(\'xss\')">some text</a>').xss());

assert.equal('<s <> <s >This is a test</s>', Filter.sanitize('<s <onmouseover="alert(1)"> <s onmouseover="alert(1)">This is a test</s>').xss());
assert.equal('<a >">test</a>', Filter.sanitize('<a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a>').xss());
assert.equal('<div ><h1>You have won</h1>Please click the link and enter your login details: <a href="http://example.com/">http://good.com</a></div>', Filter.sanitize('<div style="z-index: 9999999; background-color: green; width: 100%; height: 100%"><h1>You have won</h1>Please click the link and enter your login details: <a href="http://example.com/">http://good.com</a></div>').xss());
assert.equal('<scrRedirec[removed]t 302ipt type="text/javascript">prompt(1);</scrRedirec[removed]t 302ipt>', Filter.sanitize('<scrRedirecRedirect 302t 302ipt type="text/javascript">prompt(1);</scrRedirecRedirect 302t 302ipt>').xss());
assert.equal('<img src="a" ', Filter.sanitize('<img src="a" onerror=\'eval(atob("cHJvbXB0KDEpOw=="))\'').xss());


// Source: http://blog.kotowicz.net/2012/07/codeigniter-210-xssclean-cross-site.html
assert.equal('<img src=">" >', Filter.sanitize('<img/src=">" onerror=alert(1)>').xss());
assert.equal('<button a=">" autofocus ></button>', Filter.sanitize('<button/a=">" autofocus onfocus=alert&#40;1&#40;></button>').xss());
assert.equal('<button a=">" autofocus >', Filter.sanitize('<button a=">" autofocus onfocus=alert&#40;1&#40;>').xss());
assert.equal('<a target="_blank">clickme in firefox</a>', Filter.sanitize('<a target="_blank" href="data:text/html;BASE64youdummy,PHNjcmlwdD5hbGVydCh3aW5kb3cub3BlbmVyLmRvY3VtZW50LmRvY3VtZW50RWxlbWVudC5pbm5lckhUTUwpPC9zY3JpcHQ+">clickme in firefox</a>').xss());
assert.equal('<a/\'\'\' target="_blank" href=[removed]PHNjcmlwdD5hbGVydChvcGVuZXIuZG9jdW1lbnQuYm9keS5pbm5lckhUTUwpPC9zY3JpcHQ+>firefox11</a>', Filter.sanitize('<a/\'\'\' target="_blank" href=data:text/html;;base64,PHNjcmlwdD5hbGVydChvcGVuZXIuZG9jdW1lbnQuYm9keS5pbm5lckhUTUwpPC9zY3JpcHQ+>firefox11</a>').xss());

var url = 'http://www.example.com/test.php?a=b&b=c&c=d';
assert.equal(url, Filter.sanitize(url).xss());
},

'test chaining': function () {
assert.equal('&amp;amp;amp;', Filter.sanitize('&').chain().entityEncode().entityEncode().entityEncode().value());

//Return the default behaviour
Filter.wrap = function (str) {
return str;
}
},

'test #escape': function () {
assert.equal('&amp;&lt;&quot;&gt;', Filter.sanitize('&<">').escape());
}
Expand Down
Loading

3 comments on commit 2d5d699

@wshaver
Copy link

@wshaver wshaver commented on 2d5d699 Nov 1, 2013

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, talk about a breaking change!

@freewil
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you need this xss filter then you are doing it wrong. Good grief, glad this was removed.

@wshaver
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.