I'm not sure I follow. Can you elaborate when to use the filter? I assume filter means any method in xssFilters?

1. Is this warning only applies on Client-side?
2. Why is the example right before the warning applying filters inside a scritable context / <script>

<script>
var firstname = "..."; //an untrusted input collected from user
document.write('<h1> Hello, ' + xssFilters.inHTMLData(firstname) + '!</h1>')
</script>

with the completion of the css style attribute private filter, i would like to ask for the manual css style attribute filter. the random thought would be the filter applying on the expression part of declaration and applying on the full string of css style attribute. thought?

Hey, I was looking through your tests and didn't see alot of XSS attacks. But I'm a n00b on this.

I found this list of attacks that would make a great set of tests: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

it is common for xss filters to include a filter for filtering javascript string, so we better include this in manual filter, thought?

package.json 1.1.1
bower.json 1.0.4

bower xss-filters#1.1.1 not-cached git://github.com/yahoo/xss-filters.git#1.1.1
bower xss-filters#1.1.1 resolve git://github.com/yahoo/xss-filters.git#1.1.1
bower xss-filters#1.1.1 download https://github.com/yahoo/xss-filters/archive/v1.1.1.tar.gz
bower xss-filters#1.1.1 extract archive.tar.gz
bower xss-filters#1.1.1 mismatch Version declared in the json (1.0.4) is different than the resolved one (1.1.1)
bower xss-filters#1.1.1 resolved git://github.com/yahoo/xss-filters.git#1.1.1
bower xss-filters#1.1.1 install xss-filters#1.1.1

uriInUnQuotedAttr will catch url's starting with javascript but it doesn't catch url's starting with data:text/html using FireFox this can bypass the filter.

Preview

http://127.0.0.1:3000/?url=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

Will result in:

<a href=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+>data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+</a>

Script I used

var express = require('express');
var app = express();
var xssFilters = require('xss-filters');

app.get('/', function(req, res){
  var url = req.query.url;
  res.send("<a href=" + xssFilters.uriInUnQuotedAttr(url) + ">" + xssFilters.uriInHTMLData(url) + "</a>");
});

app.listen(3000); // <- this is not present at the readme, you might want to add it.

Hi,
When i'm trying to install the 'xss-filters' dependency by running npm i xss-filters or npm install xss-filters (locally and globally),

I'm getting an error :

npm ERR! code EPROTO
npm ERR! errno EPROTO
npm ERR! request to https://registry.npmjs.org/xss-filters failed, reason: write EPROTO 101057795:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:openssl\ssl\s23_clnt.c:827:

with the fallowing log :

0 info it worked if it ends with ok
1 verbose cli [ 'C:\Program Files\nodejs\node.exe',
1 verbose cli 'C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js',
1 verbose cli 'i',
1 verbose cli 'xss-filters' ]
2 info using [email protected]
3 info using [email protected]
4 verbose npm-session 6337e6ced2218c84
5 silly install loadCurrentTree
6 silly install readLocalPackageData
7 silly fetchPackageMetaData error for xss-filters@latest request to https://registry.npmjs.org/xss-filters failed, reason: write EPROTO 101057795:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:openssl\ssl\s23_clnt.c:827:
8 verbose type system
9 verbose stack FetchError: request to https://registry.npmjs.org/xss-filters failed, reason: write EPROTO 101057795:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:openssl\ssl\s23_clnt.c:827:
9 verbose stack
9 verbose stack at ClientRequest.req.on.err (C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\node_modules\make-fetch-happen\node_modules\node-fetch-npm\src\index.js:68:14)
9 verbose stack at emitOne (events.js:116:13)
9 verbose stack at ClientRequest.emit (events.js:211:7)
9 verbose stack at onerror (C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\node_modules\make-fetch-happen\node_modules\https-proxy-agent\node_modules\agent-base\index.js:106:9)
9 verbose stack at callbackError (C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\node_modules\make-fetch-happen\node_modules\https-proxy-agent\node_modules\agent-base\index.js:126:5)
9 verbose stack at
10 verbose cwd C:\Users\Dev1\Desktop\New folder
11 verbose Windows_NT 10.0.17134
12 verbose argv "C:\Program Files\nodejs\node.exe" "C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js" "i" "xss-filters"
13 verbose node v8.11.1
14 verbose npm v5.6.0
15 error code EPROTO
16 error errno EPROTO
17 error request to https://registry.npmjs.org/xss-filters failed, reason: write EPROTO 101057795:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:openssl\ssl\s23_clnt.c:827:
18 verbose exit [ 1, true ]

I don't think that i'm connected by proxy because when i run this commands:
echo $http_proxy
echo $https_proxy
echo $ftp_proxy
I get an empty response.

I'm working on windows 10 environment.

Hello, thanks for the module.

A little question. ¿escapes "$" or "."?

https://www.npmjs.com/package/express-mongo-sanitize

Null byte is problematic in the HTML5 specification. I think it has no benefit having null byte allowed in any filtered output. Thoughts?

My question is better summarized on stackoverflow:

http://stackoverflow.com/questions/30526880/should-url-be-stored-in-encoded-or-decoded-form

Given we store url as http://example.com/%E4%BD%A0%E5%A5%BD, running uriInDoubleQuotedAttr on it will double-encode %, but running decodeURI before uriInDoubleQuotedAttr seem even stranger.

Does yahoo store url as http://example.com/你好? If not, how do you guys handle this case?

Just wondering, wouldn't you use that also on the server side as a mean to sanitize input (escape headers and other input fields)? obviously, the server can't trust the UI for doing that

Hello guys!
Can I use this in a production system? Yahoo is using somewhere?
Tks!

While I very much appreciate have dedicated API for just about every use-case scenario, this puts the burden of choosing the correct API on developers.

https://github.com/yahoo/xss-filters/wiki

It would be great have a basic API that take cares of very common use-case: let's say, an API that covers inHTMLData + inDoubleQuotedAttr.

As a follow-up question: is it ok to apply both inHTMLData + inDoubleQuotedAttr on an output? If not, then developer do really have to remember the right API.

I was taking a look at version 1.2.6 and I see that the URI filters take a blacklist approach: URI_BLACKLIST_PROTOCOLS, xss-filters.js, line 59. A similar approach is taken for CSS_BLACKLIST.

What are the advantages of doing things this way? It seems to me that a whitelist is more secure by default and has the benefit of being more future-proof. The only downside that I can think of that the filter could be too strict, but that could be worked around with a default whitelist that's good enough for most use cases, plus an interface for users to add to the whitelist.

builds get stuck on the karma test

Running "karma:ci" (karma) task
No SAUCE credentials found (missing SAUCE_USERNAME and SAUCE_ACCESS_KEY env variables). Skipping SauceLabs testing.
08 06 2016 10:15:36.446:WARN [karma]: No captured browser, open http://localhost:9876/
08 06 2016 10:15:36.453:INFO [karma]: Karma v0.13.22 server started at http://localhost:9876/

Failed builds:
https://travis-ci.org/yahoo/xss-filters/jobs/79610450
https://travis-ci.org/yahoo/xss-filters/jobs/131198435

@adon-at-work

My team and I are getting the below error when we do an npm install on our project that uses xss-filters. Not sure why this is happening, but if anyone has any insight into this, I would greatly appreciate it.

It may be worth noting that we do have a private NPM registry that has pulled this in from the public registry.

Thanks in advance for any assistance.

npm ERR! shasum check failed for /var/folders/9x/3hwlnngj0jn80b_v8bd1crh8392g3z/T/npm-82131-5d9a3836/npm.[private-npm-registry].com/xss-filters/-/xss-filters-1.2.7.tgz
npm ERR! Expected: 59fa1de201f36f2f3470dcac5f58ccc2830b0a9a
npm ERR! Actual:   e3f620eb5b3c5f82928a72c3cda91e52f55a55a7

PS: This only happens with v1.2.7

An interesting issue we encounter when using xss-filters is trying to get url component to stay unchanged.

Say we have an image proxy like https://github.com/atmos/camo, Which takes an url like http://example.org/<digest>?url=<image-url>, where digest is a hmac of image-url and some secret string, so that you can guarantee the url is generated by server.

Now since image-url is user input, you might want to run uriInDoubleQuotedAttr before putting it in the <img src="...">, but I tried doing that and see uriInDoubleQuotedAttr changed the component somehow.

So if we are to generate and filter a flickr image: https://farm1.staticflickr.com/1/106113_be9654002c.jpg

// before filter
https://local.dev/8ed9c616a36997f04e1fde03d7d679c684316b09/?url=https%3A%2F%2Ffarm1.staticflickr.com%2F1%2F106113_be9654002c.jpg&size=400

// after filter
https://local.dev/8ed9c616a36997f04e1fde03d7d679c684316b09/?url=https%253A%252F%252Ffarm1.staticflickr.com%252F1%252F106113_be9654002c.jpg&size=400

Should we apply the filter earlier by making uriComponentInDoubleQuotedAttr when we build the url? It does work but I am not sure if it's the safe thing to do.

PS: https://github.com/yahoo/xss-filters#warnings does the warning mean we shouldn't use this generated url in style="background-image: url(...)"?