Skip to content

Commit

Permalink
publish: v1.0.15
Browse files Browse the repository at this point in the history
  • Loading branch information
leizongmin committed Mar 3, 2024
1 parent ae15483 commit 9c92272
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 4 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# CHANGELOG

## v1.0.15 (2024-03-03)

- [feat: add <kbd> to default whitelist](https://github.com/leizongmin/js-xss/pull/279) by @rayrny
- [feat: single-quoted attribute value syntax support](https://github.com/leizongmin/js-xss/pull/287) by @mdk000

## v1.0.14 (2022-08-16)

- [fix: problem with not closed tag](https://github.com/leizongmin/js-xss/pull/262) by @slawiko
Expand Down
9 changes: 7 additions & 2 deletions dist/xss.js
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,9 @@ function getDefaultWhiteList() {
header: [],
hr: [],
i: [],
img: ["src", "alt", "title", "width", "height"],
img: ["src", "alt", "title", "width", "height", "loading"],
ins: ["datetime"],
kbd: [],
li: [],
mark: [],
nav: [],
Expand Down Expand Up @@ -456,6 +457,7 @@ exports.onIgnoreTagStripAll = onIgnoreTagStripAll;
exports.StripTagBody = StripTagBody;
exports.stripCommentTag = stripCommentTag;
exports.stripBlankChar = stripBlankChar;
exports.attributeWrapSign = '"';
exports.cssFilter = defaultCSSFilter;
exports.getDefaultCSSWhiteList = getDefaultCSSWhiteList;

Expand Down Expand Up @@ -910,6 +912,8 @@ function FilterXSS(options) {
options.whiteList = DEFAULT.whiteList;
}

this.attributeWrapSign = options.singleQuotedAttributeValue === true ? "'" : DEFAULT.attributeWrapSign;

options.onTag = options.onTag || DEFAULT.onTag;
options.onTagAttr = options.onTagAttr || DEFAULT.onTagAttr;
options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag;
Expand Down Expand Up @@ -947,6 +951,7 @@ FilterXSS.prototype.process = function (html) {
var onIgnoreTagAttr = options.onIgnoreTagAttr;
var safeAttrValue = options.safeAttrValue;
var escapeHtml = options.escapeHtml;
var attributeWrapSign = me.attributeWrapSign;
var cssFilter = me.cssFilter;

// remove invisible characters
Expand Down Expand Up @@ -1000,7 +1005,7 @@ FilterXSS.prototype.process = function (html) {
// call `safeAttrValue()`
value = safeAttrValue(tag, name, value, cssFilter);
if (value) {
return name + '="' + value + '"';
return name + '=' + attributeWrapSign + value + attributeWrapSign;
} else {
return name;
}
Expand Down
Loading

0 comments on commit 9c92272

Please sign in to comment.