-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add escapeHtml option to XssValidator #377
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Hey @Morgbn Great to have you here! Thanks for the pull request. I will review it in upcoming days :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One question as I am not sure
import { defineEventHandler, createError, getQuery, readBody, getRouteRules } from '#imports' | ||
|
||
export default defineEventHandler(async (event) => { | ||
const { security } = getRouteRules(event) | ||
|
||
if (security?.xssValidator) { | ||
const xssValidator = new FilterXSS(security.xssValidator) | ||
const filterOpt: IFilterXSSOptions = { ...security.xssValidator, escapeHtml: undefined } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: What if user passes escapeHtml
in xssValidator
? Wouldn't this line overwrite it automatically to undefined?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @Baroshem !
Yes, it removes escapeHtml: boolean
that not compatible with escapeHtml?: EscapeHandler
(def)
If security.xssValidator.escapeHtml
is false, the escapeHtml is set as a function that returns its input directly (which doesn't escapes ">" & "<")
if it's true or undefined, the default function will be used by js-xss (which escapes ">" & "<")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, makes sense!
Thanks for clarification :)
resolves #206
Types of changes
Description
js-xss has
escapeHtml
option, by default<
is replaced by<
and>
by>
This pull request allows dev to easily disable this feature
Checklist:
To test
Before this fail:
Now, if
xssValidator.escapeHtml
is set to false it works