Merge pull request #218 from TomAnthony/fix-whitespace-bypass

Fix whitespace bypass
leizongmin · May 6, 2021 · 730a0b5 · 730a0b5
2 parents 6586f49 + 51de741
commit 730a0b5
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/lib/parser.js b/lib/parser.js
@@ -89,7 +89,7 @@ function parseTag(html, onTag, escapeHtml) {
           var i = 1;
           var ic = html.charAt(currentPos - i);
 
-          while ((ic === " ") || (ic === "=")) {
+          while ((ic.trim() === "") || (ic === "=")) {
             if (ic === "=") {
               quoteStart = c;
               continue chariterator;

diff --git a/test/test_custom_method.js b/test/test_custom_method.js
@@ -360,7 +360,7 @@ describe("test custom XSS method", function() {
     );
   });
 
-  it("#onTag - sanitize html parameter", function() {
+  it("#onTag - sanitize html parameter space", function() {
     var source = '<a target= " href="><script>alert(2)</script>"><span>';
     var i = 0;
     var html = xss(source, {
@@ -374,4 +374,19 @@ describe("test custom XSS method", function() {
     debug(html);
     assert.equal(html, '<a target= " href="><span>&lt;script&gt;alert(2)&lt;/script&gt;"&gt;<span>');
   });
+
+  it("#onTag - sanitize html parameter tab", function() {
+    var source = '<a target=	" href="><script>alert(2)</script>"><span>';
+    var i = 0;
+    var html = xss(source, {
+      onTag: function(_, E, S) {
+        if (S.isWhite && "a" === _) {
+          if (S.isClosing) return "</span></a>";
+          return "".concat(E, '<span>');
+        }
+      }
+    });
+    debug(html);
+    assert.equal(html, '<a target=	" href="><span>&lt;script&gt;alert(2)&lt;/script&gt;"&gt;<span>');
+  });
 });