-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to whitelist tag attributes in xss validator? (Error in docs) #426
Comments
Hey Buddy, Thanks for reporting this issue. The XSS validator uses the xss js package so it could be the upstream issue. As you suggest, I think there is also an issue in the documentation that dhoukd be fixed. |
Can you reproduce? Maybe it is an upstream issue, it doesnt work like this: Maybe because the json arrives like this? Also this xss validation things are very very hard to debug because there is no console log output why a request has been blocked. |
Yes, I can reproduce and I think it is related with #206 When I passed this string with yours whitelist xss validation configuration I got: { text: '<a href="' } I think the issue is not related with whitelisting not working but rather with the fact that underlying package escapes the Would you be interested in contributing to the project with a PoC of something that could fix this problem? :) |
Unfortunately I dont have the time and probably also the insights :( |
Ok, I will take a look at it in the upcoming days to see if I can fix it somehow |
This happened to me also. It was because I was sending up the HTML in an object which was being JSON.stringified to send up to the server endpoint. That meant that the tag attributes in the html content with double quotes were being escaped: So for example, this was being parsed by the xss parser:
And the processed output ended up being:
(notice the extra I'm not sure how you'd fix this.... But to get around it, we have:
xssValidator: {
whiteList: {
p: [],
a: ['href', 'target', 'rel', 'class']
},
// @ts-ignore - this is a valid option in xss. See here: https://www.npmjs.com/package/xss#customize-output-attribute-value-syntax-for-html
singleQuotedAttributeValue: true
}
} Kudos to @Logannford for helping with this 🙌 |
How can I whitelist tag attributes in the xss validator? The docs say:
But this would be invalid TypeScript. I guess you meant to use an array?
If yes then it doesnt work for me:
whiteList: { a: ['href', 'target', 'rel'] }
. I can whitelist tags likestrong
but I cant whitelist a tag with attributes. Maybe it is a bug also.The text was updated successfully, but these errors were encountered: