yahooarchive / xss-filters Goto Github PK
View Code? Open in Web Editor NEWSecure XSS Filters.
License: Other
Secure XSS Filters.
License: Other
Hello, thanks for the module.
A little question. ¿escapes "$" or "."?
builds get stuck on the karma test
Running "karma:ci" (karma) task
No SAUCE credentials found (missing SAUCE_USERNAME and SAUCE_ACCESS_KEY env variables). Skipping SauceLabs testing.
08 06 2016 10:15:36.446:WARN [karma]: No captured browser, open http://localhost:9876/
08 06 2016 10:15:36.453:INFO [karma]: Karma v0.13.22 server started at http://localhost:9876/
Failed builds:
https://travis-ci.org/yahoo/xss-filters/jobs/79610450
https://travis-ci.org/yahoo/xss-filters/jobs/131198435
uriInUnQuotedAttr
will catch url's starting with javascript
but it doesn't catch url's starting with data:text/html
using FireFox this can bypass the filter.
Preview
http://127.0.0.1:3000/?url=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
Will result in:
<a href=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+>data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+</a>
Script I used
var express = require('express');
var app = express();
var xssFilters = require('xss-filters');
app.get('/', function(req, res){
var url = req.query.url;
res.send("<a href=" + xssFilters.uriInUnQuotedAttr(url) + ">" + xssFilters.uriInHTMLData(url) + "</a>");
});
app.listen(3000); // <- this is not present at the readme, you might want to add it.
I was taking a look at version 1.2.6 and I see that the URI filters take a blacklist approach: URI_BLACKLIST_PROTOCOLS
, xss-filters.js, line 59. A similar approach is taken for CSS_BLACKLIST
.
What are the advantages of doing things this way? It seems to me that a whitelist is more secure by default and has the benefit of being more future-proof. The only downside that I can think of that the filter could be too strict, but that could be worked around with a default whitelist that's good enough for most use cases, plus an interface for users to add to the whitelist.
it is common for xss filters to include a filter for filtering javascript string, so we better include this in manual filter, thought?
My question is better summarized on stackoverflow:
http://stackoverflow.com/questions/30526880/should-url-be-stored-in-encoded-or-decoded-form
Given we store url as http://example.com/%E4%BD%A0%E5%A5%BD
, running uriInDoubleQuotedAttr on it will double-encode %
, but running decodeURI
before uriInDoubleQuotedAttr
seem even stranger.
Does yahoo store url as http://example.com/你好
? If not, how do you guys handle this case?
package.json 1.1.1
bower.json 1.0.4
bower xss-filters#1.1.1 not-cached git://github.com/yahoo/xss-filters.git#1.1.1
bower xss-filters#1.1.1 resolve git://github.com/yahoo/xss-filters.git#1.1.1
bower xss-filters#1.1.1 download https://github.com/yahoo/xss-filters/archive/v1.1.1.tar.gz
bower xss-filters#1.1.1 extract archive.tar.gz
bower xss-filters#1.1.1 mismatch Version declared in the json (1.0.4) is different than the resolved one (1.1.1)
bower xss-filters#1.1.1 resolved git://github.com/yahoo/xss-filters.git#1.1.1
bower xss-filters#1.1.1 install xss-filters#1.1.1
Hey, I was looking through your tests and didn't see alot of XSS attacks. But I'm a n00b on this.
I found this list of attacks that would make a great set of tests: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
An interesting issue we encounter when using xss-filters
is trying to get url component to stay unchanged.
Say we have an image proxy like https://github.com/atmos/camo, Which takes an url like http://example.org/<digest>?url=<image-url>
, where digest
is a hmac of image-url
and some secret string, so that you can guarantee the url is generated by server.
Now since image-url
is user input, you might want to run uriInDoubleQuotedAttr
before putting it in the <img src="...">
, but I tried doing that and see uriInDoubleQuotedAttr
changed the component somehow.
So if we are to generate and filter a flickr image: https://farm1.staticflickr.com/1/106113_be9654002c.jpg
// before filter
https://local.dev/8ed9c616a36997f04e1fde03d7d679c684316b09/?url=https%3A%2F%2Ffarm1.staticflickr.com%2F1%2F106113_be9654002c.jpg&size=400
// after filter
https://local.dev/8ed9c616a36997f04e1fde03d7d679c684316b09/?url=https%253A%252F%252Ffarm1.staticflickr.com%252F1%252F106113_be9654002c.jpg&size=400
Should we apply the filter earlier by making uriComponentInDoubleQuotedAttr
when we build the url? It does work but I am not sure if it's the safe thing to do.
PS: https://github.com/yahoo/xss-filters#warnings does the warning mean we shouldn't use this generated url in style="background-image: url(...)"
?
Just wondering, wouldn't you use that also on the server side as a mean to sanitize input (escape headers and other input fields)? obviously, the server can't trust the UI for doing that
I'm not sure I follow. Can you elaborate when to use the filter? I assume filter means any method in xssFilters
?
<script>
<script>
var firstname = "..."; //an untrusted input collected from user
document.write('<h1> Hello, ' + xssFilters.inHTMLData(firstname) + '!</h1>')
</script>
Null byte is problematic in the HTML5 specification. I think it has no benefit having null byte allowed in any filtered output. Thoughts?
While I very much appreciate have dedicated API for just about every use-case scenario, this puts the burden of choosing the correct API on developers.
https://github.com/yahoo/xss-filters/wiki
It would be great have a basic API that take cares of very common use-case: let's say, an API that covers inHTMLData
+ inDoubleQuotedAttr
.
As a follow-up question: is it ok to apply both inHTMLData
+ inDoubleQuotedAttr
on an output? If not, then developer do really have to remember the right API.
Hi,
When i'm trying to install the 'xss-filters' dependency by running npm i xss-filters
or npm install xss-filters
(locally and globally),
I'm getting an error :
npm ERR! code EPROTO
npm ERR! errno EPROTO
npm ERR! request to https://registry.npmjs.org/xss-filters failed, reason: write EPROTO 101057795:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:openssl\ssl\s23_clnt.c:827:
with the fallowing log :
0 info it worked if it ends with ok
1 verbose cli [ 'C:\Program Files\nodejs\node.exe',
1 verbose cli 'C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js',
1 verbose cli 'i',
1 verbose cli 'xss-filters' ]
2 info using [email protected]
3 info using [email protected]
4 verbose npm-session 6337e6ced2218c84
5 silly install loadCurrentTree
6 silly install readLocalPackageData
7 silly fetchPackageMetaData error for xss-filters@latest request to https://registry.npmjs.org/xss-filters failed, reason: write EPROTO 101057795:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:openssl\ssl\s23_clnt.c:827:
8 verbose type system
9 verbose stack FetchError: request to https://registry.npmjs.org/xss-filters failed, reason: write EPROTO 101057795:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:openssl\ssl\s23_clnt.c:827:
9 verbose stack
9 verbose stack at ClientRequest.req.on.err (C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\node_modules\make-fetch-happen\node_modules\node-fetch-npm\src\index.js:68:14)
9 verbose stack at emitOne (events.js:116:13)
9 verbose stack at ClientRequest.emit (events.js:211:7)
9 verbose stack at onerror (C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\node_modules\make-fetch-happen\node_modules\https-proxy-agent\node_modules\agent-base\index.js:106:9)
9 verbose stack at callbackError (C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\node_modules\make-fetch-happen\node_modules\https-proxy-agent\node_modules\agent-base\index.js:126:5)
9 verbose stack at
10 verbose cwd C:\Users\Dev1\Desktop\New folder
11 verbose Windows_NT 10.0.17134
12 verbose argv "C:\Program Files\nodejs\node.exe" "C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js" "i" "xss-filters"
13 verbose node v8.11.1
14 verbose npm v5.6.0
15 error code EPROTO
16 error errno EPROTO
17 error request to https://registry.npmjs.org/xss-filters failed, reason: write EPROTO 101057795:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:openssl\ssl\s23_clnt.c:827:
18 verbose exit [ 1, true ]
I don't think that i'm connected by proxy because when i run this commands:
echo $http_proxy
echo $https_proxy
echo $ftp_proxy
I get an empty response.
I'm working on windows 10 environment.
with the completion of the css style attribute private filter, i would like to ask for the manual css style attribute filter. the random thought would be the filter applying on the expression part of declaration and applying on the full string of css style attribute. thought?
My team and I are getting the below error when we do an npm install
on our project that uses xss-filters
. Not sure why this is happening, but if anyone has any insight into this, I would greatly appreciate it.
It may be worth noting that we do have a private NPM registry that has pulled this in from the public registry.
Thanks in advance for any assistance.
npm ERR! shasum check failed for /var/folders/9x/3hwlnngj0jn80b_v8bd1crh8392g3z/T/npm-82131-5d9a3836/npm.[private-npm-registry].com/xss-filters/-/xss-filters-1.2.7.tgz
npm ERR! Expected: 59fa1de201f36f2f3470dcac5f58ccc2830b0a9a
npm ERR! Actual: e3f620eb5b3c5f82928a72c3cda91e52f55a55a7
PS: This only happens with v1.2.7
Hello guys!
Can I use this in a production system? Yahoo is using somewhere?
Tks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.