/** * tests for xss() function * * @author Zongmin Lei */ var assert = require("assert"); var _xss = require("../"); var debug = require("debug")("xss:test"); function xss(html, options) { debug(JSON.stringify(html)); var ret = _xss(html, options); debug("\t" + JSON.stringify(ret)); return ret; } describe("test XSS", function() { it("#normal", function() { // 兼容各种奇葩输入 assert.equal(xss(), ""); assert.equal(xss(null), ""); assert.equal(xss(123), "123"); assert.equal(xss({ a: 1111 }), "[object Object]"); // 清除不可见字符 assert.equal( xss("a\u0000\u0001\u0002\u0003\r\n b"), "a\u0000\u0001\u0002\u0003\r\n b" ); assert.equal( xss("a\u0000\u0001\u0002\u0003\r\n b", { stripBlankChar: true }), "a\r\n b" ); // 过滤不在白名单的标签 assert.equal(xss("abcd"), "abcd"); assert.equal(xss("abcd"), "<o>abcd</o>"); assert.equal(xss("abcd"), "abcd</o>"); assert.equal(xss("abcd"), "<o>abcd</o>"); assert.equal(xss("
"), "
"); assert.equal(xss(""), "<xss>"); assert.equal(xss(''), '<xss o="x">'); assert.equal(xss("c"), "c"); assert.equal(xss("b"), "<c>b</c>"); // 过滤不是标签的<> assert.equal(xss("<>>"), "<>>"); assert.equal(xss(""), "<script>"); assert.equal(xss("<b>"), "<b>"); assert.equal(xss("<<>b"), "<<>b<x>"); // 过滤不在白名单中的属性 assert.equal( xss('yy'), 'yy' ); assert.equal(xss("pp"), "pp"); assert.equal(xss('pp'), "pp"); assert.equal(xss(''), ""); // 属性内的特殊字符 assert.equal(xss(''), ''); assert.equal(xss(''), ""); assert.equal(xss(''), ""); assert.equal(xss(''), ""); assert.equal( xss(''), '' ); assert.equal( xss('hello'), "hello" ); // 自动将属性值的单引号转为双引号 assert.equal(xss(""), ''); assert.equal(xss(""), ''); // 没有双引号括起来的属性值 assert.equal(xss(""), ''); assert.equal(xss(''), ''); assert.equal(xss(""), ""); // 单个闭合标签 assert.equal(xss(""), ""); assert.equal(xss(""), ""); assert.equal(xss(""), ""); assert.equal(xss("
"), "
"); assert.equal(xss("
"), "
"); // 畸形属性格式 assert.equal( xss('
'), '' ); assert.equal( xss(''), '' ); assert.equal( xss(''), '' ); assert.equal( xss(""), '' ); assert.equal( xss(""), '' ); assert.equal( xss(''), '' ); assert.equal( xss(""), '' ); assert.equal( xss(""), '' ); assert.equal( xss('yyy'), 'yyy' ); assert.equal( xss( '\'yyy\'' ), '\'yyy\'' ); // 使用Tab或换行符分隔的属性 assert.equal( xss(''), '' ); assert.equal( xss(''), '' ); assert.equal( xss(''), '' ); assert.equal( xss(''), '' ); }); // 自定义白名单 it("#white list", function() { // 过滤所有标签 assert.equal( xss('bb', { whiteList: {} }), '<a title="xx">bb</a>' ); assert.equal(xss("
", { whiteList: {} }), "<hr>"); // 增加白名单标签及属性 assert.equal( xss('uu', { whiteList: { ooxx: ["yy"] } }), 'uu' ); }); // XSS攻击测试:https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet it("#XSS_Filter_Evasion_Cheat_Sheet", function() { assert.equal( xss( ">
\">'>alert(String.fromCharCode(88,83,83))" ), "></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>" ); assert.equal(xss(';!--"=&{()}'), ';!--"<XSS>=&{()}'); assert.equal( xss("