xss-filter is a XSS (Cross-Site Script) Filter for Node.js & the browser, provides friendly, reliable XSS filter API for you.
Test HTML:
<div class ="like" ondblclick= "ondblclick(); return false;" onmousedown="mousedown()">
<div class="title" title="I am a title!" value = "big">title</div>
<div class="desc" onsubmit="load()">desc</div>
<div>just a div</div>
<style type="text">
.red{color: #f00}
</style>
<script>alert(88)</script>
</div>
<script>alert(99)</script>
Result in:
<div class="like">
<div class="title" title="I am a title!" value="big">title</div>
<div class="desc">desc</div>
<div>just a div</div>
</div>
npm install xssfilter
or bower install xssFilter
or just download xssFilter.js from the git repo.
var xssFilter = require('xssfilter');
var xssfilter = new xssFilter();
var output = xssfilter.filter('<div class="like" ondblclick="takeme()" onmousedown="mousedown()">something...</div>');
// output: <div class="like">something...</div>
<script src="./dist/xssFilter.js"></script>
<script>
var xssfilter = new xssFilter();
var output = xssfilter.filter('<div class="like" ondblclick="takeme()" onmousedown="mousedown()">something...</div>');
// output: <div class="like">something...</div>
</script>
Use with require.js
<script src="require.js"></script>
<script>
define(function() {
var xssFilter = require('./dist/xssFilter.js');
var xssfilter = new xssFilter();
var output = xssfilter.filter('<div class="like" ondblclick="takeme()" onmousedown="mousedown()">something...</div>');
// output: <div class="like">something...</div>
});
</script>
Use with sea.js
<script src="sea.js"></script>
<script>
seajs.use('./dist/xssFilter.js', function(xssFilter){
var xssfilter = new xssFilter();
// "<" to < ">" to >
xssfilter.options('escape', true);
var output = xssfilter.filter('<div class="like" ondblclick="takeme()" onmousedown="mousedown()">something...</div>');
// output: <div class="like">something...</div>
})
</script>
whether match style
tag, default is true
. Set to false
to prevent remove the matched style
tags.
whether match script
tag, default is true
. Set to false
to prevent remove the matched script
tags.
whether remove matched tag, default is true
. Set to false
to using escape instead of remove.
removeMatchedTag
should be used with matchStyleTag
and matchScriptTag
, for example:
var xssfilter = new xssFilter({
removeMatchedTag: false
});
<div class ="like" onmousedown="mousedown()">
<style type="text">
.red{color: #f00}
</style>
something...
</div>
<script>alert(88)</script>
Result in:
<div class="like">
<style type="text">
.red{color: #f00}
</style>
something...
</div>
<script>alert(88)</script>
attributes blacklist, attributes in this list will be cleared.
initial blacklist of attributes:
{
onclick: true,
ondblclick: true,
onchange: true,
onblur: true,
onfocus: true,
onkeydown: true,
onkeypress: true,
onkeyup: true,
onmousedown: true,
onmousemove: true,
onmouseover: true,
onmouseout: true,
onmouseup: true,
onselect: true,
onsubmit: true,
onreset: true,
onload: true,
onabort: true,
onerror: true
}
escape tags of whole html string, "<" to "<", ">" to ">"
, default no.
The configuration options can be specified by passing an options
parameter in the initialization. options
is optional, provided to override the default configuration.
var xssfilter = new xssFilter(options);
Filtering target string, accepts only one parameter.
Use this method to modify the configuration options after initialization.
var xssfilter = new xssFilter();
xssfilter.options({
escape: true,
matchStyleTag: false
});
var output = xssfilter.filter('some html...');
You can also configure single option:
var xssfilter = new xssFilter();
xssfilter.options('escape', true);
var output = xssfilter.filter('some html...');
when set secondary attributes like blackListAttrs
, the second argument must be an object {}
:
var xssfilter = new xssFilter();
xssfilter.options('blackListAttrs', {
onsubmit: false
});
var output = xssfilter.filter('<div class="like" ondblclick="ondblclick();" onsubmit="dosomething()">something...</div>');
// output: <div class="like" onsubmit="dosomething()">something...</div>
npm test
MIT, see the LICENSE file for detail.