My question is better summarized on stackoverflow:

http://stackoverflow.com/questions/30526880/should-url-be-stored-in-encoded-or-decoded-form

Given we store url as http://example.com/%E4%BD%A0%E5%A5%BD, running uriInDoubleQuotedAttr on it will double-encode %, but running decodeURI before uriInDoubleQuotedAttr seem even stranger.

Does yahoo store url as http://example.com/你好? If not, how do you guys handle this case?

builds get stuck on the karma test

Running "karma:ci" (karma) task
No SAUCE credentials found (missing SAUCE_USERNAME and SAUCE_ACCESS_KEY env variables). Skipping SauceLabs testing.
08 06 2016 10:15:36.446:WARN [karma]: No captured browser, open http://localhost:9876/
08 06 2016 10:15:36.453:INFO [karma]: Karma v0.13.22 server started at http://localhost:9876/

Failed builds: https://travis-ci.org/yahoo/xss-filters/jobs/79610450 https://travis-ci.org/yahoo/xss-filters/jobs/131198435

@adon-at-work

While I very much appreciate have dedicated API for just about every use-case scenario, this puts the burden of choosing the correct API on developers.

https://github.com/yahoo/xss-filters/wiki

It would be great have a basic API that take cares of very common use-case: let's say, an API that covers inHTMLData + inDoubleQuotedAttr.

As a follow-up question: is it ok to apply both inHTMLData + inDoubleQuotedAttr on an output? If not, then developer do really have to remember the right API.

I was taking a look at version 1.2.6 and I see that the URI filters take a blacklist approach: URI_BLACKLIST_PROTOCOLS, xss-filters.js, line 59. A similar approach is taken for CSS_BLACKLIST.

What are the advantages of doing things this way? It seems to me that a whitelist is more secure by default and has the benefit of being more future-proof. The only downside that I can think of that the filter could be too strict, but that could be worked around with a default whitelist that's good enough for most use cases, plus an interface for users to add to the whitelist.

An interesting issue we encounter when using xss-filters is trying to get url component to stay unchanged.

Say we have an image proxy like https://github.com/atmos/camo, Which takes an url like http://example.org/<digest>?url=<image-url>, where digest is a hmac of image-url and some secret string, so that you can guarantee the url is generated by server.

Now since image-url is user input, you might want to run uriInDoubleQuotedAttr before putting it in the <img src="...">, but I tried doing that and see uriInDoubleQuotedAttr changed the component somehow.

So if we are to generate and filter a flickr image: https://farm1.staticflickr.com/1/106113_be9654002c.jpg

// before filter
https://local.dev/8ed9c616a36997f04e1fde03d7d679c684316b09/?url=https%3A%2F%2Ffarm1.staticflickr.com%2F1%2F106113_be9654002c.jpg&size=400

// after filter
https://local.dev/8ed9c616a36997f04e1fde03d7d679c684316b09/?url=https%253A%252F%252Ffarm1.staticflickr.com%252F1%252F106113_be9654002c.jpg&size=400

Should we apply the filter earlier by making uriComponentInDoubleQuotedAttr when we build the url? It does work but I am not sure if it's the safe thing to do.

PS: https://github.com/yahoo/xss-filters#warnings does the warning mean we shouldn't use this generated url in style="background-image: url(...)"?

uriInUnQuotedAttr will catch url's starting with javascript but it doesn't catch url's starting with data:text/html using FireFox this can bypass the filter.

Preview

http://127.0.0.1:3000/?url=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

Will result in:

<a href=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+>data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+</a>

Script I used

var express = require('express');
var app = express();
var xssFilters = require('xss-filters');

app.get('/', function(req, res){
  var url = req.query.url;
  res.send("<a href=" + xssFilters.uriInUnQuotedAttr(url) + ">" + xssFilters.uriInHTMLData(url) + "</a>");
});

app.listen(3000); // <- this is not present at the readme, you might want to add it.

I'm not sure I follow. Can you elaborate when to use the filter? I assume filter means any method in xssFilters?

1. Is this warning only applies on Client-side?
2. Why is the example right before the warning applying filters inside a scritable context / <script>

<script>
var firstname = "..."; //an untrusted input collected from user
document.write('<h1> Hello, ' + xssFilters.inHTMLData(firstname) + '!</h1>')
</script>

My team and I are getting the below error when we do an npm install on our project that uses xss-filters. Not sure why this is happening, but if anyone has any insight into this, I would greatly appreciate it.

It may be worth noting that we do have a private NPM registry that has pulled this in from the public registry.

Thanks in advance for any assistance.

npm ERR! shasum check failed for /var/folders/9x/3hwlnngj0jn80b_v8bd1crh8392g3z/T/npm-82131-5d9a3836/npm.[private-npm-registry].com/xss-filters/-/xss-filters-1.2.7.tgz
npm ERR! Expected: 59fa1de201f36f2f3470dcac5f58ccc2830b0a9a
npm ERR! Actual:   e3f620eb5b3c5f82928a72c3cda91e52f55a55a7

PS: This only happens with v1.2.7

Making use of saucelabs to make sure the filters will pass unit tests in different browsers: https://travis-ci.org/yahoo/xss-filters/jobs/74862112

The browser list: https://github.com/yahoo/xss-filters/pull/44/files#diff-a2a3b7b0c9c3b4b93b4aebf4e3ec3cfbR10

Hey, I was looking through your tests and didn't see alot of XSS attacks. But I'm a n00b on this.

I found this list of attacks that would make a great set of tests: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Hi, When i'm trying to install the 'xss-filters' dependency by running npm i xss-filters or npm install xss-filters (locally and globally),

I'm getting an error :

npm ERR! code EPROTO npm ERR! errno EPROTO npm ERR! request to https://registry.npmjs.org/xss-filters failed, reason: write EPROTO 101057795:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:openssl\ssl\s23_clnt.c:827:

with the fallowing log :

0 info it worked if it ends with ok 1 verbose cli [ 'C:\Program Files\nodejs\node.exe', 1 verbose cli 'C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js', 1 verbose cli 'i', 1 verbose cli 'xss-filters' ] 2 info using [email protected] 3 info using [email protected] 4 verbose npm-session 6337e6ced2218c84 5 silly install loadCurrentTree 6 silly install readLocalPackageData 7 silly fetchPackageMetaData error for xss-filters@latest request to https://registry.npmjs.org/xss-filters failed, reason: write EPROTO 101057795:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:openssl\ssl\s23_clnt.c:827: 8 verbose type system 9 verbose stack FetchError: request to https://registry.npmjs.org/xss-filters failed, reason: write EPROTO 101057795:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:openssl\ssl\s23_clnt.c:827: 9 verbose stack 9 verbose stack at ClientRequest.req.on.err (C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\node_modules\make-fetch-happen\node_modules\node-fetch-npm\src\index.js:68:14) 9 verbose stack at emitOne (events.js:116:13) 9 verbose stack at ClientRequest.emit (events.js:211:7) 9 verbose stack at onerror (C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\node_modules\make-fetch-happen\node_modules\https-proxy-agent\node_modules\agent-base\index.js:106:9) 9 verbose stack at callbackError (C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\node_modules\make-fetch-happen\node_modules\https-proxy-agent\node_modules\agent-base\index.js:126:5) 9 verbose stack at 10 verbose cwd C:\Users\Dev1\Desktop\New folder 11 verbose Windows_NT 10.0.17134 12 verbose argv "C:\Program Files\nodejs\node.exe" "C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js" "i" "xss-filters" 13 verbose node v8.11.1 14 verbose npm v5.6.0 15 error code EPROTO 16 error errno EPROTO 17 error request to https://registry.npmjs.org/xss-filters failed, reason: write EPROTO 101057795:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:openssl\ssl\s23_clnt.c:827: 18 verbose exit [ 1, true ]

I don't think that i'm connected by proxy because when i run this commands: echo $http_proxy echo $https_proxy echo $ftp_proxy I get an empty response.

I'm working on windows 10 environment.

Just wondering, wouldn't you use that also on the server side as a mean to sanitize input (escape headers and other input fields)? obviously, the server can't trust the UI for doing that

According to the benchmark,

• speed of getProtocol() is now 8.69x faster (or 3.53x faster given samples collected from flickr)
• speed of htmlDecode(), when used standalone, is 1.28x faster

This performance improvement is significant, and this will benefit those filters involving URIs (since yubl() is using getProtocol()).

This makes available an advanced config feature to make filter replace NULL. By using xssFilters._privFilters.config({replaceNull:true}), the five most basic contextual filters, on which all contexts/filters depend, will be replacing the null character with \uFFFD at last.

The performance penalty of enabling this is detailed in https://github.com/yahoo/xss-filters/blob/benchmarks/tests/benchmarks/null-replacement.js

An alternative approach is to have a layer of polyfill that patches problematic IE's document.write() and document.writeln(). note that innerHTML has no such problem.

Coverage is also made 100% thru this PR.

with the completion of the css style attribute private filter, i would like to ask for the manual css style attribute filter. the random thought would be the filter applying on the expression part of declaration and applying on the full string of css style attribute. thought?