UNPKG

xss-filters

Version:

Secure XSS Filters - Just sufficient output filtering to prevent XSS!

github.com/yahoo/xss-filters

yahoo/xss-filters

80 lines (57 loc) 2.17 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
/* Copyright (c) 2015, Yahoo! Inc. All rights reserved. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms. Author: Stuart Larsen <stuartlarsen@yahoo-inc.com> */ var express = require('express'); var redis = require('redis'), client = redis.createClient(); var async = require('async'); var xssFilters = require('../../dist/xss-filters'); var app = express(); function buildResponse(id, fuzz) { return "<html> <body> <h1> Fuzz Test! </h1>" + "<script>window.alert = function(msg) { console.log(\"" + id + ":\"+ msg) } </script>" + "<script>window.prompt = function(msg) { console.log(\"" + id + ":\"+ msg) } </script>" + // "<script>alert('xssssss')</script>" + // "<SCRIPT SRC='http://yahoo.com'></SCRIPT>" + "<div style='border: 1px solid'> " + "<h2> xssFilters.inHTMLData(fuzz) </h1>" + "<div> " + xssFilters.inHTMLData(fuzz) + " </div> " + "</div>" + "<div style='border: 1px solid'> " + "<h2> xssFilters.inHTMLComment(fuzz) </h2>" + "<!-- " + xssFilters.inHTMLComment(fuzz) + " --> " + "</div>" + "<div style='border: 1px solid'> " + "<h2> xssFilters.inSingleQuotedAttr(fuzz) </h2> " + "<input value='" + xssFilters.inSingleQuotedAttr(fuzz) + "'/>" + "</div>" + "<div style='border: 1px solid'> " + "<h2> xssFilters.inDoubleQuotedAttr(fuzz) </h2> "+ "<input value=\"" + xssFilters.inDoubleQuotedAttr(fuzz) + "\"/>" + "</div>" + "<div style='border: 1px solid'> " + "<h2> xssFilters.inUnQuotedAttr(fuzz) </h2> " + "<input value=" + xssFilters.inUnQuotedAttr(fuzz) + "'/>" + "</body> </html>"; } function getTestcase(id, next) { client.get('testcases:'+id, function(err, response) { next(err, response); }); } app.get('/', function(req, res) { res.send('okay'); }); app.get('/testcase/:id', function(req, res) { console.log("/testcase/" + req.params.id); getTestcase(req.params.id, function(err, response) { var out = buildResponse(req.params.id, response); console.log(req.params.id, response); res.send(out); }); }); console.log("Listening on :1339"); app.listen(1339, function(err) { if (err){ console.log(err);}});