summaryrefslogtreecommitdiffstats
path: root/node_modules/xss/lib/default.js
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--node_modules/xss/lib/default.js415
1 files changed, 0 insertions, 415 deletions
diff --git a/node_modules/xss/lib/default.js b/node_modules/xss/lib/default.js
deleted file mode 100644
index 1452ed3..0000000
--- a/node_modules/xss/lib/default.js
+++ /dev/null
@@ -1,415 +0,0 @@
-/**
- * default settings
- *
- * @author Zongmin Lei<leizongmin@gmail.com>
- */
-
-var FilterCSS = require("cssfilter").FilterCSS;
-var getDefaultCSSWhiteList = require("cssfilter").getDefaultWhiteList;
-var _ = require("./util");
-
-function getDefaultWhiteList() {
- return {
- a: ["target", "href", "title"],
- abbr: ["title"],
- address: [],
- area: ["shape", "coords", "href", "alt"],
- article: [],
- aside: [],
- audio: ["autoplay", "controls", "loop", "preload", "src"],
- b: [],
- bdi: ["dir"],
- bdo: ["dir"],
- big: [],
- blockquote: ["cite"],
- br: [],
- caption: [],
- center: [],
- cite: [],
- code: [],
- col: ["align", "valign", "span", "width"],
- colgroup: ["align", "valign", "span", "width"],
- dd: [],
- del: ["datetime"],
- details: ["open"],
- div: [],
- dl: [],
- dt: [],
- em: [],
- font: ["color", "size", "face"],
- footer: [],
- h1: [],
- h2: [],
- h3: [],
- h4: [],
- h5: [],
- h6: [],
- header: [],
- hr: [],
- i: [],
- img: ["src", "alt", "title", "width", "height"],
- ins: ["datetime"],
- li: [],
- mark: [],
- nav: [],
- ol: [],
- p: [],
- pre: [],
- s: [],
- section: [],
- small: [],
- span: [],
- sub: [],
- sup: [],
- strong: [],
- table: ["width", "border", "align", "valign"],
- tbody: ["align", "valign"],
- td: ["width", "rowspan", "colspan", "align", "valign"],
- tfoot: ["align", "valign"],
- th: ["width", "rowspan", "colspan", "align", "valign"],
- thead: ["align", "valign"],
- tr: ["rowspan", "align", "valign"],
- tt: [],
- u: [],
- ul: [],
- video: ["autoplay", "controls", "loop", "preload", "src", "height", "width"]
- };
-}
-
-var defaultCSSFilter = new FilterCSS();
-
-/**
- * default onTag function
- *
- * @param {String} tag
- * @param {String} html
- * @param {Object} options
- * @return {String}
- */
-function onTag(tag, html, options) {
- // do nothing
-}
-
-/**
- * default onIgnoreTag function
- *
- * @param {String} tag
- * @param {String} html
- * @param {Object} options
- * @return {String}
- */
-function onIgnoreTag(tag, html, options) {
- // do nothing
-}
-
-/**
- * default onTagAttr function
- *
- * @param {String} tag
- * @param {String} name
- * @param {String} value
- * @return {String}
- */
-function onTagAttr(tag, name, value) {
- // do nothing
-}
-
-/**
- * default onIgnoreTagAttr function
- *
- * @param {String} tag
- * @param {String} name
- * @param {String} value
- * @return {String}
- */
-function onIgnoreTagAttr(tag, name, value) {
- // do nothing
-}
-
-/**
- * default escapeHtml function
- *
- * @param {String} html
- */
-function escapeHtml(html) {
- return html.replace(REGEXP_LT, "&lt;").replace(REGEXP_GT, "&gt;");
-}
-
-/**
- * default safeAttrValue function
- *
- * @param {String} tag
- * @param {String} name
- * @param {String} value
- * @param {Object} cssFilter
- * @return {String}
- */
-function safeAttrValue(tag, name, value, cssFilter) {
- // unescape attribute value firstly
- value = friendlyAttrValue(value);
-
- if (name === "href" || name === "src") {
- // filter `href` and `src` attribute
- // only allow the value that starts with `http://` | `https://` | `mailto:` | `/` | `#`
- value = _.trim(value);
- if (value === "#") return "#";
- if (
- !(
- value.substr(0, 7) === "http://" ||
- value.substr(0, 8) === "https://" ||
- value.substr(0, 7) === "mailto:" ||
- value.substr(0, 4) === "tel:" ||
- value[0] === "#" ||
- value[0] === "/"
- )
- ) {
- return "";
- }
- } else if (name === "background") {
- // filter `background` attribute (maybe no use)
- // `javascript:`
- REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;
- if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) {
- return "";
- }
- } else if (name === "style") {
- // `expression()`
- REGEXP_DEFAULT_ON_TAG_ATTR_7.lastIndex = 0;
- if (REGEXP_DEFAULT_ON_TAG_ATTR_7.test(value)) {
- return "";
- }
- // `url()`
- REGEXP_DEFAULT_ON_TAG_ATTR_8.lastIndex = 0;
- if (REGEXP_DEFAULT_ON_TAG_ATTR_8.test(value)) {
- REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;
- if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) {
- return "";
- }
- }
- if (cssFilter !== false) {
- cssFilter = cssFilter || defaultCSSFilter;
- value = cssFilter.process(value);
- }
- }
-
- // escape `<>"` before returns
- value = escapeAttrValue(value);
- return value;
-}
-
-// RegExp list
-var REGEXP_LT = /</g;
-var REGEXP_GT = />/g;
-var REGEXP_QUOTE = /"/g;
-var REGEXP_QUOTE_2 = /&quot;/g;
-var REGEXP_ATTR_VALUE_1 = /&#([a-zA-Z0-9]*);?/gim;
-var REGEXP_ATTR_VALUE_COLON = /&colon;?/gim;
-var REGEXP_ATTR_VALUE_NEWLINE = /&newline;?/gim;
-var REGEXP_DEFAULT_ON_TAG_ATTR_3 = /\/\*|\*\//gm;
-var REGEXP_DEFAULT_ON_TAG_ATTR_4 = /((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a)\:/gi;
-var REGEXP_DEFAULT_ON_TAG_ATTR_5 = /^[\s"'`]*(d\s*a\s*t\s*a\s*)\:/gi;
-var REGEXP_DEFAULT_ON_TAG_ATTR_6 = /^[\s"'`]*(d\s*a\s*t\s*a\s*)\:\s*image\//gi;
-var REGEXP_DEFAULT_ON_TAG_ATTR_7 = /e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n\s*\(.*/gi;
-var REGEXP_DEFAULT_ON_TAG_ATTR_8 = /u\s*r\s*l\s*\(.*/gi;
-
-/**
- * escape doube quote
- *
- * @param {String} str
- * @return {String} str
- */
-function escapeQuote(str) {
- return str.replace(REGEXP_QUOTE, "&quot;");
-}
-
-/**
- * unescape double quote
- *
- * @param {String} str
- * @return {String} str
- */
-function unescapeQuote(str) {
- return str.replace(REGEXP_QUOTE_2, '"');
-}
-
-/**
- * escape html entities
- *
- * @param {String} str
- * @return {String}
- */
-function escapeHtmlEntities(str) {
- return str.replace(REGEXP_ATTR_VALUE_1, function replaceUnicode(str, code) {
- return code[0] === "x" || code[0] === "X"
- ? String.fromCharCode(parseInt(code.substr(1), 16))
- : String.fromCharCode(parseInt(code, 10));
- });
-}
-
-/**
- * escape html5 new danger entities
- *
- * @param {String} str
- * @return {String}
- */
-function escapeDangerHtml5Entities(str) {
- return str
- .replace(REGEXP_ATTR_VALUE_COLON, ":")
- .replace(REGEXP_ATTR_VALUE_NEWLINE, " ");
-}
-
-/**
- * clear nonprintable characters
- *
- * @param {String} str
- * @return {String}
- */
-function clearNonPrintableCharacter(str) {
- var str2 = "";
- for (var i = 0, len = str.length; i < len; i++) {
- str2 += str.charCodeAt(i) < 32 ? " " : str.charAt(i);
- }
- return _.trim(str2);
-}
-
-/**
- * get friendly attribute value
- *
- * @param {String} str
- * @return {String}
- */
-function friendlyAttrValue(str) {
- str = unescapeQuote(str);
- str = escapeHtmlEntities(str);
- str = escapeDangerHtml5Entities(str);
- str = clearNonPrintableCharacter(str);
- return str;
-}
-
-/**
- * unescape attribute value
- *
- * @param {String} str
- * @return {String}
- */
-function escapeAttrValue(str) {
- str = escapeQuote(str);
- str = escapeHtml(str);
- return str;
-}
-
-/**
- * `onIgnoreTag` function for removing all the tags that are not in whitelist
- */
-function onIgnoreTagStripAll() {
- return "";
-}
-
-/**
- * remove tag body
- * specify a `tags` list, if the tag is not in the `tags` list then process by the specify function (optional)
- *
- * @param {array} tags
- * @param {function} next
- */
-function StripTagBody(tags, next) {
- if (typeof next !== "function") {
- next = function() {};
- }
-
- var isRemoveAllTag = !Array.isArray(tags);
- function isRemoveTag(tag) {
- if (isRemoveAllTag) return true;
- return _.indexOf(tags, tag) !== -1;
- }
-
- var removeList = [];
- var posStart = false;
-
- return {
- onIgnoreTag: function(tag, html, options) {
- if (isRemoveTag(tag)) {
- if (options.isClosing) {
- var ret = "[/removed]";
- var end = options.position + ret.length;
- removeList.push([
- posStart !== false ? posStart : options.position,
- end
- ]);
- posStart = false;
- return ret;
- } else {
- if (!posStart) {
- posStart = options.position;
- }
- return "[removed]";
- }
- } else {
- return next(tag, html, options);
- }
- },
- remove: function(html) {
- var rethtml = "";
- var lastPos = 0;
- _.forEach(removeList, function(pos) {
- rethtml += html.slice(lastPos, pos[0]);
- lastPos = pos[1];
- });
- rethtml += html.slice(lastPos);
- return rethtml;
- }
- };
-}
-
-/**
- * remove html comments
- *
- * @param {String} html
- * @return {String}
- */
-function stripCommentTag(html) {
- return html.replace(STRIP_COMMENT_TAG_REGEXP, "");
-}
-var STRIP_COMMENT_TAG_REGEXP = /<!--[\s\S]*?-->/g;
-
-/**
- * remove invisible characters
- *
- * @param {String} html
- * @return {String}
- */
-function stripBlankChar(html) {
- var chars = html.split("");
- chars = chars.filter(function(char) {
- var c = char.charCodeAt(0);
- if (c === 127) return false;
- if (c <= 31) {
- if (c === 10 || c === 13) return true;
- return false;
- }
- return true;
- });
- return chars.join("");
-}
-
-exports.whiteList = getDefaultWhiteList();
-exports.getDefaultWhiteList = getDefaultWhiteList;
-exports.onTag = onTag;
-exports.onIgnoreTag = onIgnoreTag;
-exports.onTagAttr = onTagAttr;
-exports.onIgnoreTagAttr = onIgnoreTagAttr;
-exports.safeAttrValue = safeAttrValue;
-exports.escapeHtml = escapeHtml;
-exports.escapeQuote = escapeQuote;
-exports.unescapeQuote = unescapeQuote;
-exports.escapeHtmlEntities = escapeHtmlEntities;
-exports.escapeDangerHtml5Entities = escapeDangerHtml5Entities;
-exports.clearNonPrintableCharacter = clearNonPrintableCharacter;
-exports.friendlyAttrValue = friendlyAttrValue;
-exports.escapeAttrValue = escapeAttrValue;
-exports.onIgnoreTagStripAll = onIgnoreTagStripAll;
-exports.StripTagBody = StripTagBody;
-exports.stripCommentTag = stripCommentTag;
-exports.stripBlankChar = stripBlankChar;
-exports.cssFilter = defaultCSSFilter;
-exports.getDefaultCSSWhiteList = getDefaultCSSWhiteList;