Regular expressions still aren’t the right way

[charmander]

I’d appreciate it if you reopened the old issue — it’s more likely that someone notices that way — but here’s another “stripping creates exploit” problem in stripUnsafeAttrs instead of stripUnsafeTags:

<a href= href="javascript:""javascript:anything">Click me!</a>

[charmander]

Interesting! stripComments also still doesn’t strip comments.

[danmactough]

Closed by b35dea0 as XSS-related filtering is delegated to chriso/node-validator.

stripComments also still doesn’t strip comments.

Sure does. If there's something missing, a proper bug report or pull request is welcome.

[charmander]

sanitize.stripComments("<!-- This HTML is <em>commented out</em>. -->")

[charmander]

Congratulations on bringing in another sanitizer, but as this was directed RSS feeds, it’ll be unfortunate if someone ever wants to write about cookies.

On the other hand, security that defeats itself is my favourite kind. There’s still a vulnerability, but I think I have to go report that to node-validator. (I could also not, because regular expressions aren’t the right way to go about this.)

[charmander]

(For reference, it’s validatorjs/validator.js#223.)

[charmander]

node-validator has removed its “XSS sanitizer” because it didn’t work; you should try going with Caja, which almost certainly will. It’ll be faster to boot.