How to use the xss.whiteList function in xss

To help you get started, we’ve selected a few xss examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github home-assistant / home-assistant-polymer / src / resources / markdown_worker.ts View on Github external
export const renderMarkdown = (
  content: string,
  markedOptions: object,
  hassOptions: {
    // Do not allow SVG on untrusted content, it allows XSS.
    allowSvg?: boolean;
  } = {}
) => {
  if (!whiteListNormal) {
    whiteListNormal = {
      ...filterXSS.whiteList,
      "ha-icon": ["icon"],
    };
  }

  let whiteList: WhiteList | undefined;

  if (hassOptions.allowSvg) {
    if (!whiteListSvg) {
      whiteListSvg = {
        ...whiteListNormal,
        svg: ["xmlns", "height", "width"],
        path: ["transform", "stroke", "d"],
      };
    }
    whiteList = whiteListSvg;
  } else {
github GridProtectionAlliance / openHistorian / Source / Applications / openHistorian / openHistorian / Grafana / public / app / core / utils / text.ts View on Github external
const XSSWL = Object.keys(xss.whiteList).reduce((acc, element) => {
  // @ts-ignore
  acc[element] = xss.whiteList[element].concat(['class', 'style']);
  return acc;
}, {});
github tianxiangbing / chat / socket / msg.js View on Github external
var IO = function(server) {
	var io = sio.listen(server)
	var users = {},
		usocket = {};
	var counter = 0;
	var home = {};
	var xss = require('xss');
	var drawlist = ['杯子', '苹果', '香蕉', '花',"乌龟","大象","飞机","手枪","蛋糕","火车","椅子","桌子","大树"];
	var quest = "";
	var interval = null;
	// 添加或更新白名单中的标签 标签名(小写) = ['允许的属性列表(小写)']
	xss.whiteList['img'] = ['src'];
	// 删除默认的白名单标签
	delete xss.whiteList['div'];
	// 自定义处理不在白名单中的标签
	xss.onIgnoreTag = function(tag, html) {
		// tag:当前标签名(小写),如:a
		// html:当前标签的HTML代码,如:<a href="ooxx">
		// 返回新的标签HTML代码,如果想使用默认的处理方式,不返回任何值即可
		// 比如将标签替换为[removed]:return '[removed]';
		// 以下为默认的处理代码:
		return html.replace(//g, '&gt;');
	}

	function Quest() {
		//随机出题
		outQuest();
		//interval = setInterval(outQuest, 60000);</a>
github GridProtectionAlliance / openHistorian / Source / Applications / openHistorian / openHistorian / Grafana / public / app / core / utils / text.ts View on Github external
import xss from 'xss';
import { sanitizeUrl as braintreeSanitizeUrl } from '@braintree/sanitize-url';

const XSSWL = Object.keys(xss.whiteList).reduce((acc, element) => {
  // @ts-ignore
  acc[element] = xss.whiteList[element].concat(['class', 'style']);
  return acc;
}, {});

const sanitizeXSS = new xss.FilterXSS({
  whiteList: XSSWL,
});

/**
 * Returns string safe from XSS attacks.
 *
 * Even though we allow the style-attribute, there's still default filtering applied to it
 * Info: https://github.com/leizongmin/js-xss#customize-css-filter
 * Whitelist: https://github.com/leizongmin/js-css-filter/blob/master/lib/default.js
 */
github cnpm / cnpmjs.org / common / markdown.js View on Github external
'use strict';

var xss = require('xss');
var MarkdownIt = require('markdown-it');

// allow class attr on code
xss.whiteList.code = ['class'];

var md = new MarkdownIt({
  html: true,
  linkify: true,
});

exports.render = function (content, filterXss) {
  var html = md.render(content);
  if (filterXss !== false) {
    html = xss(html);
  }
  return html;
};
github bs32g1038 / node-blog / client / libs / marked / index.ts View on Github external
const regex = /@\((.+?)\)/g;
    tokens[idx].content = text.replace(regex, str =&gt; {
        if (str) {
            const r = /\((.+?)\)/g.exec(str);
            if (r) {
                const name = r[1];
                return `<img src="${siteInfo.domain}/static/images/emotion/${name}.png" class="emoji">`;
            }
        }
        return str;
    });
});

const Xss = new jsxss.FilterXSS({
    whiteList: {
        ...jsxss.whiteList,
        img: ['class', 'src', 'alt'],
    },
    onIgnoreTagAttr: (tag, name, value) =&gt; {
        // 让 prettyprint 可以工作
        if (tag === 'pre' &amp;&amp; name === 'class') {
            return name + '="' + jsxss.escapeAttrValue(value) + '"';
        }
        return '';
    },
});

const xss = html =&gt; {
    return Xss.process(html);
};

export default mdStr =&gt; {
github tianxiangbing / chat / socket / msg.js View on Github external
var IO = function(server) {
	var io = sio.listen(server)
	var users = {},
		usocket = {};
	var counter = 0;
	var home = {};
	var xss = require('xss');
	var drawlist = ['杯子', '苹果', '香蕉', '花',"乌龟","大象","飞机","手枪","蛋糕","火车","椅子","桌子","大树"];
	var quest = "";
	var interval = null;
	// 添加或更新白名单中的标签 标签名(小写) = ['允许的属性列表(小写)']
	xss.whiteList['img'] = ['src'];
	// 删除默认的白名单标签
	delete xss.whiteList['div'];
	// 自定义处理不在白名单中的标签
	xss.onIgnoreTag = function(tag, html) {
		// tag:当前标签名(小写),如:a
		// html:当前标签的HTML代码,如:<a href="ooxx">
		// 返回新的标签HTML代码,如果想使用默认的处理方式,不返回任何值即可
		// 比如将标签替换为[removed]:return '[removed]';
		// 以下为默认的处理代码:
		return html.replace(//g, '&gt;');
	}

	function Quest() {
		//随机出题
		outQuest();
		//interval = setInterval(outQuest, 60000);
	}
</a>
github okfn / opendatasurvey / census / loaders / utils.js View on Github external
var _mapParsedCsvData = function(parsedData) {
  var result = [];
  var keys = [];
  var whiteList = _.clone(xss.whiteList);
  whiteList.table = _.union(whiteList.table, ['class']);
  whiteList.img = _.union(whiteList.img, ['style', 'align']);
  var xssOptions = {
    whiteList: whiteList
  };
  for (var i = 0; i &lt; parsedData.length; i++) {
    if (i === 0) {
      for (var j = 0; j &lt; parsedData[i].length; j++) {
        var key = xss(_.trim(parsedData[i][j].toLowerCase()));
        keys.push(key);
      }
    } else {
      var object = {};
      for (var n = 0; n &lt; keys.length; n++) {
        object[keys[n]] = xss(_.trim(parsedData[i][n]), xssOptions);
      }
github Terminal / discordapps.dev / website / static / xss.js View on Github external
lenient(html) {
    return xss(html, {
      whiteList: {
        iframe: ['src', 'class'],
        style: [],
        link: ['href', 'rel', 'type'],
        ...xss.whiteList
      }
    });
  },
  strict(html) {

xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist

MIT
Latest version published 10 months ago

Package Health Score

76 / 100
Full package analysis