Skip to content
This repository has been archived by the owner on Jul 15, 2019. It is now read-only.

Home

Jump to bottom
adon edited this page Feb 13, 2015 · 13 revisions

xss-filters API

For all the examples below, we use {{{ }}} to indicate output expression to ease illustrations

inHTMLComment(s) → {string}

This filter is to be placed in HTML Comment context to disable any attempts in closing the html comment state

Notice: --> and --!> are the syntaxes to close html comment state, while string that ends with -, --, or --! will also enable state closing if the variable is externally suffixed with -> or >. ']>' and string that ends with ']' are changed to '] >' and '] ' to disable Internet Explorer conditional comments, which are actually not part of the HTML 5 standard.

Parameters:
Name Type Description
s string

An untrusted user input
Returns:

The string s with '-->', '--!>', ']>' respectively replaced with '-- >', '--! >', '] >'. In addition, a space is appened to those string s that ends with '-', '--', '--!', and ']'.

Type
string
Example
// output context to be applied by this filter.
<!-- {{{inHTMLComment html_comment}}} -->

inHTMLData(s) → {string}

This filter is to be placed in HTML Data context to encode all '<' characters into '&lt;'

Parameters:
Name Type Description
s string

An untrusted user input
Returns:

The string s with '<' encoded as '&lt;'

Type
string
Example
// output context to be applied by this filter.
<textarea>{{{inHTMLData html_data}}}</textarea>

inDoubleQuotedAttr(s) → {string}

Warning: This is NOT designed for any onX (e.g., onclick) attribtues!

Warning: If you're working on URI/components, use the more specific uri___InDoubleQuotedAttr filter

This filter is to be placed in HTML Attribute Value (double-quoted) state to encode all single-quote characters into '&"'
Parameters:
Name Type Description
s string

An untrusted user input
Returns:

The string s with any single-quote characters encoded into '&"'.

Type
string
Example
// output context to be applied by this filter.
<input name="firstname" value="{{{inDoubleQuotedAttr firstname}}}" />

inSingleQuotedAttr(s) → {string}

Warning: This is NOT designed for any onX (e.g., onclick) attribtues!

Warning: If you're working on URI/components, use the more specific uri___InSingleQuotedAttr filter

This filter is to be placed in HTML Attribute Value (single-quoted) state to encode all single-quote characters into '&''
Parameters:
Name Type Description
s string

An untrusted user input
Returns:

The string s with any single-quote characters encoded into '&''.

Type
string
Example
// output context to be applied by this filter.
<input name='firstname' value='{{{inSingleQuotedAttr firstname}}}' />

inUnQuotedAttr(s) → {string}

Warning: This is NOT designed for any onX (e.g., onclick) attribtues!

Warning: If you're working on URI/components, use the more specific uri___InUnQuotedAttr filter

This filter is to be placed in HTML Attribute Value (unquoted) state to encode tab, LF, FF, space, and '>' into their equivalent HTML entity representations.
Parameters:
Name Type Description
s string

An untrusted user input
Returns:

The string s with any tab, LF, FF, space, and '>' encoded.

Type
string
Example
// output context to be applied by this filter.
<input name="firstname" value={{{inUnQuotedAttr firstname}}} />

uriInHTMLComment(s) → {string}

This filter is to be placed in HTML Comment state for an absolute URI.

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded by window.encodeURI(), and finally inHTMLComment()

Type
string
Example
// output context to be applied by this filter.
<!-- {{{uriInHTMLComment full_uri}}} -->

uriInHTMLData(s) → {string}

This filter is to be placed in HTML Data state for an absolute URI.

Notice: The actual implmentation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURI().

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded by window.encodeURI() and then inHTMLData()

Type
string
Example
// output context to be applied by this filter.
<a href="/somewhere">{{{uriInHTMLData full_uri}}}</a>

uriInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for an absolute URI.
The correct order of encoders is thus: first window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded first by window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href="{{{uriInDoubleQuotedAttr full_uri}}}">link</a>

uriInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for an absolute URI.
The correct order of encoders is thus: first window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded first by window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href='{{{uriInSingleQuotedAttr full_uri}}}'>link</a>

uriInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for an absolute URI.
The correct order of encoders is thus: first the built-in encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded first by window.encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href={{{uriInUnQuotedAttr full_uri}}}>link</a>

uriPathInHTMLComment(s) → {string}

This filter is to be placed in HTML Comment state for a URI Path/Query or relative URI.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded by window.encodeURI(), and finally inHTMLComment()

Type
string
Example
// output context to be applied by this filter.
<!-- http://example.com/{{{uriPathInHTMLComment uri_path}}} -->
<!-- http://example.com/?{{{uriQueryInHTMLComment uri_query}}} -->

uriPathInHTMLData(s) → {string}

This filter is to be placed in HTML Data state for a URI Path/Query or relative URI.

Notice: The actual implmentation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURI().

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded by window.encodeURI() and then inHTMLData()

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/">http://example.com/{{{uriPathInHTMLData uri_path}}}</a>
<a href="http://example.com/">http://example.com/?{{{uriQueryInHTMLData uri_query}}}</a>

uriPathInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded first by window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/{{{uriPathInDoubleQuotedAttr uri_path}}}">link</a>
<a href="http://example.com/?{{{uriQueryInDoubleQuotedAttr uri_query}}}">link</a>

uriPathInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded first by window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href='http://example.com/{{{uriPathInSingleQuotedAttr uri_path}}}'>link</a>
<a href='http://example.com/?{{{uriQueryInSingleQuotedAttr uri_query}}}'>link</a>

uriPathInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first the built-in encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded first by window.encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href=http://example.com/{{{uriPathInUnQuotedAttr uri_path}}}>link</a>
<a href=http://example.com/?{{{uriQueryInUnQuotedAttr uri_query}}}>link</a>

uriQueryInHTMLComment(s) → {string}

This is an alias of uriPathInHTMLComment

uriQueryInHTMLData(s) → {string}

This is an alias of uriPathInHTMLData

uriQueryInDoubleQuotedAttr(s) → {string}

This is an alias of uriPathInDoubleQuotedAttr

uriQueryInSingleQuotedAttr(s) → {string}

This is an alias of uriPathInSingleQuotedAttr

uriQueryInUnQuotedAttr(s) → {string}

This is an alias of uriPathInUnQuotedAttr

uriComponentInHTMLComment(s) → {string}

This filter is to be placed in HTML Comment state for a URI Component.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded by window.encodeURIComponent(), and finally inHTMLComment()

Type
string
Example
// output context to be applied by this filter.
<!-- http://example.com/?q={{{uriComponentInHTMLComment uri_component}}} -->
<!-- http://example.com/#{{{uriComponentInHTMLComment uri_fragment}}} -->

uriComponentInHTMLData(s) → {string}

This filter is to be placed in HTML Data state for a URI Component.

Notice: The actual implmentation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURIComponent().

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded by window.encodeURIComponent() and then inHTMLData()

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/">http://example.com/?q={{{uriComponentInHTMLData uri_component}}}</a>
<a href="http://example.com/">http://example.com/#{{{uriComponentInHTMLData uri_fragment}}}</a>

uriComponentInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Component.
The correct order of encoders is thus: first window.encodeURIComponent(), then inDoubleQuotedAttr()

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded first by window.encodeURIComponent(), then inDoubleQuotedAttr()

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/?q={{{uriComponentInDoubleQuotedAttr uri_component}}}">link</a>

uriComponentInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Component.
The correct order of encoders is thus: first window.encodeURIComponent(), then inSingleQuotedAttr()

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded first by window.encodeURIComponent(), then inSingleQuotedAttr()

Type
string
Example
// output context to be applied by this filter.
<a href='http://example.com/?q={{{uriComponentInSingleQuotedAttr uri_component}}}'>link</a>

uriComponentInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Component.
The correct order of encoders is thus: first the built-in encodeURIComponent(), then inUnQuotedAttr()

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded first by window.encodeURIComponent(), then inUnQuotedAttr()

Type
string
Example
// output context to be applied by this filter.
<a href=http://example.com/?q={{{uriComponentInUnQuotedAttr uri_component}}}>link</a>

uriFragmentInHTMLComment(s) → {string}

This is an alias of uriComponentInHTMLComment

uriFragmentInHTMLData(s) → {string}

This is an alias of uriComponentInHTMLData

uriFragmentInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Fragment.
The correct order of encoders is thus: first window.encodeURIComponent(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Fragment
Returns:

The string s encoded first by window.encodeURIComponent(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/#{{{uriFragmentInDoubleQuotedAttr uri_fragment}}}">link</a>

uriFragmentInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Fragment.
The correct order of encoders is thus: first window.encodeURIComponent(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Fragment
Returns:

The string s encoded first by window.encodeURIComponent(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href='http://example.com/#{{{uriFragmentInSingleQuotedAttr uri_fragment}}}'>link</a>

uriFragmentInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Fragment.
The correct order of encoders is thus: first the built-in encodeURIComponent(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Fragment
Returns:

The string s encoded first by window.encodeURIComponent(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href=http://example.com/#{{{uriFragmentInUnQuotedAttr uri_fragment}}}>link</a>

API

Clone this wiki locally