fix: whitelist match failure due to case ignoring (#256)

leizongmin · May 27, 2022 · 1e44466 · 1e44466
1 parent 5a7c216
commit 1e44466
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/lib/xss.js b/lib/xss.js
@@ -60,6 +60,20 @@ function shallowCopyObject(obj) {
   return ret;
 }
 
+function keysToLowerCase(obj) {
+  var ret = {};
+  for (var i in obj) {
+    if (Array.isArray(obj[i])) {
+      ret[i.toLowerCase()] = obj[i].map(function (item) {
+        return item.toLowerCase();
+      });
+    } else {
+      ret[i.toLowerCase()] = obj[i];
+    }
+  }
+  return ret;
+}
+
 /**
  * FilterXSS class
  *
@@ -80,8 +94,12 @@ function FilterXSS(options) {
     }
     options.onIgnoreTag = DEFAULT.onIgnoreTagStripAll;
   }
+  if (options.whiteList || options.allowList) {
+    options.whiteList = keysToLowerCase(options.whiteList || options.allowList);
+  } else {
+    options.whiteList = DEFAULT.whiteList;
+  }
 
-  options.whiteList = options.whiteList || options.allowList || DEFAULT.whiteList;
   options.onTag = options.onTag || DEFAULT.onTag;
   options.onTagAttr = options.onTagAttr || DEFAULT.onTagAttr;
   options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag;

diff --git a/test/test_xss.js b/test/test_xss.js
@@ -167,7 +167,7 @@ describe("test XSS", function() {
     );
   });
 
-  it("#allowList", ()=>{
+  it("#allowList", function() {
     // 过滤所有标签
     assert.equal(
       xss('<a title="xx">bb</a>', { allowList: {} }),
@@ -432,4 +432,16 @@ describe("test XSS", function() {
     // console.log(options);
     assert.deepEqual(options, {});
   });
+
+  it("camel case tag names", function() {
+    assert.equal(xss('<animateTransform attributeName="transform"' +
+      'attributeType="XML"' +
+      'type="rotate"' +
+      'repeatCount="indefinite"/>', {
+      whiteList: {
+        animateTransform: ["attributeType", "repeatCount"]
+      }
+    }),
+      '<animatetransform attributetype="XML" repeatcount="indefinite" />');
+  });
 });