Skip to content
This repository has been archived by the owner on Jul 15, 2019. It is now read-only.

Home

Jump to bottom
adon edited this page Feb 13, 2015 · 13 revisions

xss-filters API

inHTMLComment(s) → {string}

This filter is to be placed in HTML Comment context to disable any attempts in closing the html comment state

Notice: --> and --!> are the syntaxes to close html comment state, while string that ends with -, --, or --! will also enable state closing if the variable is externally suffixed with -> or >. ']>' and string that ends with ']' are changed to '] >' and '] ' to disable Internet Explorer conditional comments, which are actually not part of the HTML 5 standard.

Parameters:
Name Type Description
s string

An untrusted user input
Returns:

The string s with '-->', '--!>', ']>' respectively replaced with '-- >', '--! >', '] >'. In addition, a space is appened to those string s that ends with '-', '--', '--!', and ']'.

Type
string
Example
// output context to be applied by this filter.
<!-- {{inHTMLComment(html_comment)}} -->

inHTMLData(s) → {string}

This filter is to be placed in HTML Data context to encode all '<' characters into '&lt;'

Parameters:
Name Type Description
s string

An untrusted user input
Returns:

The string s with '<' encoded as '&lt;'

Type
string
Example
// output context to be applied by this filter.
<textarea>{{inHTMLData(html_data)}}</textarea>

inDoubleQuotedAttr(s) → {string}

Warning: This is NOT designed for any onX (e.g., onclick) attribtues!

Warning: If you're working on URI/components, use the more specific uri___InDoubleQuotedAttr filter

This filter is to be placed in HTML Attribute Value (double-quoted) state to encode all single-quote characters into '&"'
Parameters:
Name Type Description
s string

An untrusted user input
Returns:

The string s with any single-quote characters encoded into '&"'.

Type
string
Example
// output context to be applied by this filter.
<input name="firstname" value="{{inDoubleQuotedAttr(firstname)}}" />

inSingleQuotedAttr(s) → {string}

Warning: This is NOT designed for any onX (e.g., onclick) attribtues!

Warning: If you're working on URI/components, use the more specific uri___InSingleQuotedAttr filter

This filter is to be placed in HTML Attribute Value (single-quoted) state to encode all single-quote characters into '&''
Parameters:
Name Type Description
s string

An untrusted user input
Returns:

The string s with any single-quote characters encoded into '&''.

Type
string
Example
// output context to be applied by this filter.
<input name='firstname' value='{{inSingleQuotedAttr(firstname)}}' />

inUnQuotedAttr(s) → {string}

Warning: This is NOT designed for any onX (e.g., onclick) attribtues!

Warning: If you're working on URI/components, use the more specific uri___InUnQuotedAttr filter

This filter is to be placed in HTML Attribute Value (unquoted) state to encode tab, LF, FF, space, and '>' into their equivalent HTML entity representations.
Parameters:
Name Type Description
s string

An untrusted user input
Returns:

The string s with any tab, LF, FF, space, and '>' encoded.

Type
string
Example
// output context to be applied by this filter.
<input name="firstname" value={{inUnQuotedAttr(firstname)}} />

uriInHTMLComment(s) → {string}

This filter is to be placed in HTML Comment state for an absolute URI.

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded by window.encodeURI(), and finally inHTMLComment()

Type
string
Example
// output context to be applied by this filter.
<!-- {{uriInHTMLComment(full_uri)}} -->

uriInHTMLData(s) → {string}

This filter is to be placed in HTML Data state for an absolute URI.

Notice: The actual implmentation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURI().

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded by window.encodeURI() and then inHTMLData()

Type
string
Example
// output context to be applied by this filter.
<a href="/somewhere">{{uriInHTMLData(full_uri)}}</a>

uriInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for an absolute URI.
The correct order of encoders is thus: first window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded first by window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href="{{uriInDoubleQuotedAttr(full_uri)}}">link</a>

uriInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for an absolute URI.
The correct order of encoders is thus: first window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded first by window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href='{{uriInSingleQuotedAttr(full_uri)}}'>link</a>

uriInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for an absolute URI.
The correct order of encoders is thus: first the built-in encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI
Returns:

The string s encoded first by window.encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href={{uriInUnQuotedAttr(full_uri)}}>link</a>

uriPathInHTMLComment(s) → {string}

This filter is to be placed in HTML Comment state for a URI Path/Query or relative URI.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded by window.encodeURI(), and finally inHTMLComment()

Type
string
Example
// output context to be applied by this filter.
<!-- http://example.com/{{uriPathInHTMLComment(uri_path)}} -->
<!-- http://example.com/?{{uriQueryInHTMLComment(uri_query)}} -->

uriPathInHTMLData(s) → {string}

This filter is to be placed in HTML Data state for a URI Path/Query or relative URI.

Notice: The actual implmentation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURI().

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded by window.encodeURI() and then inHTMLData()

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/">http://example.com/{{uriPathInHTMLData(uri_path)}}</a>
<a href="http://example.com/">http://example.com/?{{uriQueryInHTMLData(uri_query)}}</a>

uriPathInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded first by window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/{{uriPathInDoubleQuotedAttr(uri_path)}}">link</a>
<a href="http://example.com/?{{uriQueryInDoubleQuotedAttr(uri_query)}}">link</a>

uriPathInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded first by window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href='http://example.com/{{uriPathInSingleQuotedAttr(uri_path)}}'>link</a>
<a href='http://example.com/?{{uriQueryInSingleQuotedAttr(uri_query)}}'>link</a>

uriPathInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first the built-in encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI
Returns:

The string s encoded first by window.encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href=http://example.com/{{uriPathInUnQuotedAttr(uri_path)}}>link</a>
<a href=http://example.com/?{{uriQueryInUnQuotedAttr(uri_query)}}>link</a>

uriQueryInHTMLComment()

This is an alias of uriPathInHTMLComment

uriQueryInHTMLData()

This is an alias of uriPathInHTMLData

uriQueryInDoubleQuotedAttr()

This is an alias of uriPathInDoubleQuotedAttr

uriQueryInSingleQuotedAttr()

This is an alias of uriPathInSingleQuotedAttr

uriQueryInUnQuotedAttr()

This is an alias of uriPathInUnQuotedAttr

uriComponentInHTMLComment(s) → {string}

This filter is to be placed in HTML Comment state for a URI Component.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded by window.encodeURIComponent(), and finally inHTMLComment()

Type
string
Example
// output context to be applied by this filter.
<!-- http://example.com/?q={{uriComponentInHTMLComment(uri_component)}} -->
<!-- http://example.com/#{{uriComponentInHTMLComment(uri_fragment)}} -->

uriComponentInHTMLData(s) → {string}

This filter is to be placed in HTML Data state for a URI Component.

Notice: The actual implmentation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURIComponent().

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded by window.encodeURIComponent() and then inHTMLData()

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/">http://example.com/?q={{uriComponentInHTMLData(uri_component)}}</a>
<a href="http://example.com/">http://example.com/#{{uriComponentInHTMLData(uri_fragment)}}</a>

uriComponentInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Component.
The correct order of encoders is thus: first window.encodeURIComponent(), then inDoubleQuotedAttr()

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded first by window.encodeURIComponent(), then inDoubleQuotedAttr()

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/?q={{uriComponentInDoubleQuotedAttr(uri_component)}}">link</a>

uriComponentInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Component.
The correct order of encoders is thus: first window.encodeURIComponent(), then inSingleQuotedAttr()

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded first by window.encodeURIComponent(), then inSingleQuotedAttr()

Type
string
Example
// output context to be applied by this filter.
<a href='http://example.com/?q={{uriComponentInSingleQuotedAttr(uri_component)}}'>link</a>

uriComponentInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Component.
The correct order of encoders is thus: first the built-in encodeURIComponent(), then inUnQuotedAttr()

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component
Returns:

The string s encoded first by window.encodeURIComponent(), then inUnQuotedAttr()

Type
string
Example
// output context to be applied by this filter.
<a href=http://example.com/?q={{uriComponentInUnQuotedAttr(uri_component)}}>link</a>

uriFragmentInHTMLComment()

This is an alias of uriComponentInHTMLComment

uriFragmentInHTMLData()

This is an alias of uriComponentInHTMLData

uriFragmentInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Fragment.
The correct order of encoders is thus: first window.encodeURIComponent(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Fragment
Returns:

The string s encoded first by window.encodeURIComponent(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/#{{uriFragmentInDoubleQuotedAttr(uri_fragment)}}">link</a>

uriFragmentInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Fragment.
The correct order of encoders is thus: first window.encodeURIComponent(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Fragment
Returns:

The string s encoded first by window.encodeURIComponent(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href='http://example.com/#{{uriFragmentInSingleQuotedAttr(uri_fragment)}}'>link</a>

uriFragmentInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Fragment.
The correct order of encoders is thus: first the built-in encodeURIComponent(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Fragment
Returns:

The string s encoded first by window.encodeURIComponent(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href=http://example.com/#{{uriFragmentInUnQuotedAttr(uri_fragment)}}>link</a>

API

Clone this wiki locally