Skip to content
This repository has been archived by the owner on Jul 15, 2019. It is now read-only.
adon edited this page Apr 8, 2015 · 13 revisions

xss-filters API

For all the examples below, we use {{{ }}} to indicate output expression to ease illustrations

inHTMLComment(s) → {string}

Parameters:
Name Type Description
s string

An untrusted user input

Returns:

All NULL characters in s are first replaced with \uFFFD. If s contains -->, --!>, or starts with -*>, insert a space right before > to stop state breaking at <!--{{{yc s}}}. If s ends with --!, --, or -, append a space to stop collaborative state breaking at {{{yc s}}}>, {{{yc s}}}!>, {{{yc s}}}-!>, {{{yc s}}}->. If s contains ]> or ends with ], append a space after ] is verified in IE to stop IE conditional comments.

Type
string
Example
// output context to be applied by this filter.
<!-- {{{inHTMLComment html_comment}}} -->

inHTMLData(s) → {string}

This filter is to be placed in HTML Data context to encode all '<' characters into '&lt;'

Parameters:
Name Type Description
s string

An untrusted user input

Returns:

The string s with '<' encoded as '&lt;'

Type
string
Example
// output context to be applied by this filter.
<div>{{{inHTMLData htmlData}}}</div>

inDoubleQuotedAttr(s) → {string}

Warning: This is NOT designed for any onX (e.g., onclick) attributes!

Warning: If you're working on URI/components, use the more specific uri___InDoubleQuotedAttr filter

This filter is to be placed in HTML Attribute Value (double-quoted) state to encode all single-quote characters into '&"'
Parameters:
Name Type Description
s string

An untrusted user input

Returns:

The string s with any single-quote characters encoded into '&"'.

Type
string
Example
// output context to be applied by this filter.
<input name="firstname" value="{{{inDoubleQuotedAttr firstname}}}" />

inSingleQuotedAttr(s) → {string}

Warning: This is NOT designed for any onX (e.g., onclick) attributes!

Warning: If you're working on URI/components, use the more specific uri___InSingleQuotedAttr filter

This filter is to be placed in HTML Attribute Value (single-quoted) state to encode all single-quote characters into '&''
Parameters:
Name Type Description
s string

An untrusted user input

Returns:

The string s with any single-quote characters encoded into '&'.

Type
string
Example
// output context to be applied by this filter.
<input name='firstname' value='{{{inSingleQuotedAttr firstname}}}' />

inUnQuotedAttr(s) → {string}

Warning: This is NOT designed for any onX (e.g., onclick) attributes!

Warning: If you're working on URI/components, use the more specific uri___InUnQuotedAttr filter

Regarding \uFFFD injection, given <input id={{{id}}} name="passwd">,
Rationale 1: our belief is that developers wouldn't expect when id equals an empty string would result in ' name="passwd"' rendered as attribute value, even though this is how HTML5 is specified.
Rationale 2: an empty or all null string (for IE) can effectively alter its immediate subsequent state, we choose \uFFFD to end the unquoted attr state, which therefore will not mess up later contexts.
Rationale 3: Since IE 6, it is verified that NULL chars are stripped.
Reference: https://html.spec.whatwg.org/multipage/syntax.html#attribute-value-(unquoted)-state

Parameters:
Name Type Description
s string

An untrusted user input

Returns:

The string s with any tab, LF, FF, space, and '>' encoded. If the first char is either ' " or `, it is also encoded. If an empty string is encountered, return a NULL character '\u0000'.

Type
string
Example
// output context to be applied by this filter.
<input name="firstname" value={{{inUnQuotedAttr firstname}}} />

uriInHTMLComment(s) → {string}

This filter is to be placed in HTML Comment state for an absolute URI.

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI

Returns:

The string s encoded by window.encodeURI(), and finally inHTMLComment()

Type
string
Example
// output context to be applied by this filter.
<!-- {{{uriInHTMLComment full_uri}}} -->

uriInHTMLData(s) → {string}

This filter is to be placed in HTML Data state for an absolute URI.

Notice: The actual implementation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURI().

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI

Returns:

The string s encoded by window.encodeURI() and then inHTMLData()

Type
string
Example
// output context to be applied by this filter.
<a href="/somewhere">{{{uriInHTMLData full_uri}}}</a>

uriInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for an absolute URI.
The correct order of encoders is thus: first window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI

Returns:

The string s encoded first by window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href="{{{uriInDoubleQuotedAttr full_uri}}}">link</a>

uriInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for an absolute URI.
The correct order of encoders is thus: first window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI

Returns:

The string s encoded first by window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href='{{{uriInSingleQuotedAttr full_uri}}}'>link</a>

uriInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for an absolute URI.
The correct order of encoders is thus: first the built-in encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Notice: This filter is IPv6 friendly by not encoding '[' and ']'.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly an absolute URI

Returns:

The string s encoded first by window.encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href={{{uriInUnQuotedAttr full_uri}}}>link</a>

uriPathInHTMLComment(s) → {string}

This filter is to be placed in HTML Comment state for a URI Path/Query or relative URI.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI

Returns:

The string s encoded by window.encodeURI(), and finally inHTMLComment()

Type
string
Example
// output context to be applied by this filter.
<!-- http://example.com/{{{uriPathInHTMLComment uri_path}}} -->
<!-- http://example.com/?{{{uriQueryInHTMLComment uri_query}}} -->

uriPathInHTMLData(s) → {string}

This filter is to be placed in HTML Data state for a URI Path/Query or relative URI.

Notice: The actual implementation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURI().

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI

Returns:

The string s encoded by window.encodeURI() and then inHTMLData()

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/">http://example.com/{{{uriPathInHTMLData uri_path}}}</a>
<a href="http://example.com/">http://example.com/?{{{uriQueryInHTMLData uri_query}}}</a>

uriPathInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI

Returns:

The string s encoded first by window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/{{{uriPathInDoubleQuotedAttr uri_path}}}">link</a>
<a href="http://example.com/?{{{uriQueryInDoubleQuotedAttr uri_query}}}">link</a>

uriPathInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI

Returns:

The string s encoded first by window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href='http://example.com/{{{uriPathInSingleQuotedAttr uri_path}}}'>link</a>
<a href='http://example.com/?{{{uriQueryInSingleQuotedAttr uri_query}}}'>link</a>

uriPathInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first the built-in encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Path/Query or relative URI

Returns:

The string s encoded first by window.encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href=http://example.com/{{{uriPathInUnQuotedAttr uri_path}}}>link</a>
<a href=http://example.com/?{{{uriQueryInUnQuotedAttr uri_query}}}>link</a>

uriQueryInHTMLComment(s) → {string}

This is an alias of uriPathInHTMLComment

uriQueryInHTMLData(s) → {string}

This is an alias of uriPathInHTMLData

uriQueryInDoubleQuotedAttr(s) → {string}

This is an alias of uriPathInDoubleQuotedAttr

uriQueryInSingleQuotedAttr(s) → {string}

This is an alias of uriPathInSingleQuotedAttr

uriQueryInUnQuotedAttr(s) → {string}

This is an alias of uriPathInUnQuotedAttr

uriComponentInHTMLComment(s) → {string}

This filter is to be placed in HTML Comment state for a URI Component.

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component

Returns:

The string s encoded by window.encodeURIComponent(), and finally inHTMLComment()

Type
string
Example
// output context to be applied by this filter.
<!-- http://example.com/?q={{{uriComponentInHTMLComment uri_component}}} -->
<!-- http://example.com/#{{{uriComponentInHTMLComment uri_fragment}}} -->

uriComponentInHTMLData(s) → {string}

This filter is to be placed in HTML Data state for a URI Component.

Notice: The actual implementation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURIComponent().

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component

Returns:

The string s encoded by window.encodeURIComponent() and then inHTMLData()

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/">http://example.com/?q={{{uriComponentInHTMLData uri_component}}}</a>
<a href="http://example.com/">http://example.com/#{{{uriComponentInHTMLData uri_fragment}}}</a>

uriComponentInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Component.
The correct order of encoders is thus: first window.encodeURIComponent(), then inDoubleQuotedAttr()

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component

Returns:

The string s encoded first by window.encodeURIComponent(), then inDoubleQuotedAttr()

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/?q={{{uriComponentInDoubleQuotedAttr uri_component}}}">link</a>

uriComponentInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Component.
The correct order of encoders is thus: first window.encodeURIComponent(), then inSingleQuotedAttr()

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component

Returns:

The string s encoded first by window.encodeURIComponent(), then inSingleQuotedAttr()

Type
string
Example
// output context to be applied by this filter.
<a href='http://example.com/?q={{{uriComponentInSingleQuotedAttr uri_component}}}'>link</a>

uriComponentInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Component.
The correct order of encoders is thus: first the built-in encodeURIComponent(), then inUnQuotedAttr()

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Component

Returns:

The string s encoded first by window.encodeURIComponent(), then inUnQuotedAttr()

Type
string
Example
// output context to be applied by this filter.
<a href=http://example.com/?q={{{uriComponentInUnQuotedAttr uri_component}}}>link</a>

uriFragmentInHTMLComment(s) → {string}

This is an alias of uriComponentInHTMLComment

uriFragmentInHTMLData(s) → {string}

This is an alias of uriComponentInHTMLData

uriFragmentInDoubleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Fragment.
The correct order of encoders is thus: first window.encodeURIComponent(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Fragment

Returns:

The string s encoded first by window.encodeURIComponent(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href="http://example.com/#{{{uriFragmentInDoubleQuotedAttr uri_fragment}}}">link</a>

uriFragmentInSingleQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Fragment.
The correct order of encoders is thus: first window.encodeURIComponent(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Fragment

Returns:

The string s encoded first by window.encodeURIComponent(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href='http://example.com/#{{{uriFragmentInSingleQuotedAttr uri_fragment}}}'>link</a>

uriFragmentInUnQuotedAttr(s) → {string}

This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Fragment.
The correct order of encoders is thus: first the built-in encodeURIComponent(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Parameters:
Name Type Description
s string

An untrusted user input, supposedly a URI Fragment

Returns:

The string s encoded first by window.encodeURIComponent(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution

Type
string
Example
// output context to be applied by this filter.
<a href=http://example.com/#{{{uriFragmentInUnQuotedAttr uri_fragment}}}>link</a>