How to use the xss.whiteList function in xss
To help you get started, we’ve selected a few xss examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
home-assistant / home-assistant-polymer / src / resources / markdown_worker.ts View on Github 
export const renderMarkdown = (
content: string,
markedOptions: object,
hassOptions: {
// Do not allow SVG on untrusted content, it allows XSS.
allowSvg?: boolean;
} = {}
) => {
if (!whiteListNormal) {
whiteListNormal = {
...filterXSS.whiteList,
"ha-icon": ["icon"],
};
}
let whiteList: WhiteList | undefined;
if (hassOptions.allowSvg) {
if (!whiteListSvg) {
whiteListSvg = {
...whiteListNormal,
svg: ["xmlns", "height", "width"],
path: ["transform", "stroke", "d"],
};
}
whiteList = whiteListSvg;
} else {const XSSWL = Object.keys(xss.whiteList).reduce((acc, element) => {
// @ts-ignore
acc[element] = xss.whiteList[element].concat(['class', 'style']);
return acc;
}, {});var IO = function(server) {
var io = sio.listen(server)
var users = {},
usocket = {};
var counter = 0;
var home = {};
var xss = require('xss');
var drawlist = ['杯子', '苹果', '香蕉', '花',"乌龟","大象","飞机","手枪","蛋糕","火车","椅子","桌子","大树"];
var quest = "";
var interval = null;
// 添加或更新白名单中的标签 标签名(小写) = ['允许的属性列表(小写)']
xss.whiteList['img'] = ['src'];
// 删除默认的白名单标签
delete xss.whiteList['div'];
// 自定义处理不在白名单中的标签
xss.onIgnoreTag = function(tag, html) {
// tag:当前标签名(小写),如:a
// html:当前标签的HTML代码,如:<a href="ooxx">
// 返回新的标签HTML代码,如果想使用默认的处理方式,不返回任何值即可
// 比如将标签替换为[removed]:return '[removed]';
// 以下为默认的处理代码:
return html.replace(//g, '>');
}
function Quest() {
//随机出题
outQuest();
//interval = setInterval(outQuest, 60000);</a>import xss from 'xss';
import { sanitizeUrl as braintreeSanitizeUrl } from '@braintree/sanitize-url';
const XSSWL = Object.keys(xss.whiteList).reduce((acc, element) => {
// @ts-ignore
acc[element] = xss.whiteList[element].concat(['class', 'style']);
return acc;
}, {});
const sanitizeXSS = new xss.FilterXSS({
whiteList: XSSWL,
});
/**
* Returns string safe from XSS attacks.
*
* Even though we allow the style-attribute, there's still default filtering applied to it
* Info: https://github.com/leizongmin/js-xss#customize-css-filter
* Whitelist: https://github.com/leizongmin/js-css-filter/blob/master/lib/default.js
*/'use strict';
var xss = require('xss');
var MarkdownIt = require('markdown-it');
// allow class attr on code
xss.whiteList.code = ['class'];
var md = new MarkdownIt({
html: true,
linkify: true,
});
exports.render = function (content, filterXss) {
var html = md.render(content);
if (filterXss !== false) {
html = xss(html);
}
return html;
};const regex = /@\((.+?)\)/g;
tokens[idx].content = text.replace(regex, str => {
if (str) {
const r = /\((.+?)\)/g.exec(str);
if (r) {
const name = r[1];
return `<img src="${siteInfo.domain}/static/images/emotion/${name}.png" class="emoji">`;
}
}
return str;
});
});
const Xss = new jsxss.FilterXSS({
whiteList: {
...jsxss.whiteList,
img: ['class', 'src', 'alt'],
},
onIgnoreTagAttr: (tag, name, value) => {
// 让 prettyprint 可以工作
if (tag === 'pre' && name === 'class') {
return name + '="' + jsxss.escapeAttrValue(value) + '"';
}
return '';
},
});
const xss = html => {
return Xss.process(html);
};
export default mdStr => {var IO = function(server) {
var io = sio.listen(server)
var users = {},
usocket = {};
var counter = 0;
var home = {};
var xss = require('xss');
var drawlist = ['杯子', '苹果', '香蕉', '花',"乌龟","大象","飞机","手枪","蛋糕","火车","椅子","桌子","大树"];
var quest = "";
var interval = null;
// 添加或更新白名单中的标签 标签名(小写) = ['允许的属性列表(小写)']
xss.whiteList['img'] = ['src'];
// 删除默认的白名单标签
delete xss.whiteList['div'];
// 自定义处理不在白名单中的标签
xss.onIgnoreTag = function(tag, html) {
// tag:当前标签名(小写),如:a
// html:当前标签的HTML代码,如:<a href="ooxx">
// 返回新的标签HTML代码,如果想使用默认的处理方式,不返回任何值即可
// 比如将标签替换为[removed]:return '[removed]';
// 以下为默认的处理代码:
return html.replace(//g, '>');
}
function Quest() {
//随机出题
outQuest();
//interval = setInterval(outQuest, 60000);
}
</a>var _mapParsedCsvData = function(parsedData) {
var result = [];
var keys = [];
var whiteList = _.clone(xss.whiteList);
whiteList.table = _.union(whiteList.table, ['class']);
whiteList.img = _.union(whiteList.img, ['style', 'align']);
var xssOptions = {
whiteList: whiteList
};
for (var i = 0; i < parsedData.length; i++) {
if (i === 0) {
for (var j = 0; j < parsedData[i].length; j++) {
var key = xss(_.trim(parsedData[i][j].toLowerCase()));
keys.push(key);
}
} else {
var object = {};
for (var n = 0; n < keys.length; n++) {
object[keys[n]] = xss(_.trim(parsedData[i][n]), xssOptions);
}lenient(html) {
return xss(html, {
whiteList: {
iframe: ['src', 'class'],
style: [],
link: ['href', 'rel', 'type'],
...xss.whiteList
}
});
},
strict(html) {xss
Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
