Implemented stripTags() function

panzerdp · Dec 27, 2016 · e4ef917 · e4ef917
1 parent d1b00ff
commit e4ef917
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 22 deletions.
diff --git a/package.json b/package.json
@@ -20,7 +20,8 @@
     "escape",
     "word",
     "wrap",
-    "case"
+    "case",
+    "strip"
   ],
   "repository": {
     "type": "git",
@@ -45,7 +46,8 @@
     "report-coverage": "cat ./coverage/lcov.info | codecov",
     "verify": "npm run eslint && npm run coverage",
     "jsdoc": "jsdoc --configure .jsdoc.json",
-    "deploy": "rollup -c config/rollup_dist.js && cp dist/voca.js docs/scripts && scp -r docs/* rainishere:/home/rainishere/webapps/voca_docs"
+    "deploy": "rollup -c config/rollup_dist.js && cp dist/voca.js docs/scripts && scp -r docs/* rainishere:/home/rainishere/webapps/voca_docs",
+    "precommit": "npm run eslint && npm run test"
   },
   "devDependencies": {
     "babel-cli": "6.18.0",
@@ -65,11 +67,11 @@
     "chai": "3.5.0",
     "codecov.io": "0.1.6",
     "eslint": "3.12.2",
-    "ghooks": "2.0.0",
     "glob": "7.1.1",
     "grunt": "1.0.1",
     "grunt-contrib-connect": "1.0.2",
     "grunt-saucelabs": "9.0.0",
+    "husky": "0.12.0",
     "istanbul": "1.1.0-alpha.1",
     "jsdoc": "3.4.3",
     "mkdirp": "0.5.1",
@@ -79,10 +81,5 @@
     "rollup-plugin-uglify": "1.0.1",
     "source-map-support": "0.4.8"
   },
-  "dependencies": {},
-  "config": {
-    "ghooks": {
-      "pre-commit": "npm run eslint && npm run test"
-    }
-  }
-}
+  "dependencies": {}
+}
diff --git a/src/strip/strip_tags.js b/src/strip/strip_tags.js
@@ -15,16 +15,20 @@ const STATE_COMMENT = 3;
  * @static
  * @since 1.1.0
  * @memberOf Strip
- * @param {string} [subject=''] The string to strip.
- * @param {string|Array} [allowableTags] The string or array of tags that should not be stripped.
+ * @param {string} [subject=''] The string to strip from.
+ * @param {string|Array} [allowableTags] The string `'<tag1><tag2>'` or array `['tag1', 'tag2']` of tags that should not be stripped.
  * @param {string} [replacement=''] The string to replace the stripped tag.
  * @return {string} Returns the stripped string.
  * @example
- * v.trim(' Mother nature ');
- * // => 'Mother nature'
  *
- * v.trim('--Earth--', '-');
- * // => 'Earth'
+ * v.stripTags('<span><a href="#">Summer</a> is nice</span>');
+ * // => 'Summer is nice'
+ *
+ * v.stripTags('<span><i>Winter</i> is <b>cold</b></span>', ['b', 'i']);
+ * // => '<i>Winter</i> is <b>cold</b>'
+ *
+ * v.stripTags('Sun<br/>set', '', '-');
+ * // => 'Sun-set'
  */
 export default function trim(subject, allowableTags, replacement) {
   subject = coerceToString(subject);
@@ -116,10 +120,12 @@ export default function trim(subject, allowableTags, replacement) {
             const tagName = parseTagName(tagContent);
             if (allowableTags.indexOf(tagName.toLowerCase()) !== -1) {
               output += tagContent;
+            } else {
+              output += replacementString;
             }
             tagContent = '';
           } else {
-            tagContent += replacementString;
+            output += replacementString;
           }
           break;
         }

diff --git a/test/strip/strip_tags.js b/test/strip/strip_tags.js
@@ -14,6 +14,30 @@ describe('stripTags', function() {
     expect(v.stripTags('<html><b>hello</b><p>world</p></html>')).to.be.equal('helloworld');
   });
 
+  it('should strip potential xss tags', function() {
+    /**
+     * @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
+     */
+    expect(v.stripTags('<script>evil();</script>')).to.be.equal('evil();');
+    expect(v.stripTags('<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>')).to.be.equal('');
+    expect(v.stripTags('<IMG """><SCRIPT>alert("XSS")</SCRIPT>">')).to.be.equal('');
+    expect(v.stripTags('<SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>')).to.be.equal('');
+    expect(v.stripTags('<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>')).to.be.equal('');
+    expect(v.stripTags('<SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>')).to.be.equal('');
+    expect(v.stripTags('<<SCRIPT>alert("XSS");//<</SCRIPT>')).to.be.equal('');
+    expect(v.stripTags('<SCRIPT SRC=http://xss.rocks/xss.js?< B >')).to.be.equal('');
+    expect(v.stripTags('<SCRIPT SRC=//xss.rocks/.j>')).to.be.equal('');
+    expect(v.stripTags('<IMG SRC="javascript:alert(\'XSS\')"')).to.be.equal('');
+    expect(v.stripTags('<SCRIPT a=">" SRC="httx://xss.rocks/xss.js"></SCRIPT>')).to.be.equal('');
+    expect(v.stripTags('<SCRIPT =">" SRC="httx://xss.rocks/xss.js"></SCRIPT>')).to.be.equal('');
+    expect(v.stripTags('<SCRIPT a=">" \'\' SRC="httx://xss.rocks/xss.js"></SCRIPT>')).to.be.equal('');
+    expect(v.stripTags('<SCRIPT "a=\'>\'" SRC="httx://xss.rocks/xss.js"></SCRIPT>')).to.be.equal('');
+    expect(v.stripTags('<SCRIPT a=`>` SRC="httx://xss.rocks/xss.js"></SCRIPT>')).to.be.equal('` SRC="httx://xss.rocks/xss.js">');
+    expect(v.stripTags('<SCRIPT a=">\'>" SRC="httx://xss.rocks/xss.js"></SCRIPT>')).to.be.equal('');
+    expect(v.stripTags('<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="httx://xss.rocks/xss.js"></SCRIPT>')).to.be.equal('document.write("');
+
+  });
+
   it('should strip tags which attributes contain < or > ', function() {
     const helloWorld = 'hello  world';
     expect(v.stripTags('hello <img title="<"> world')).to.be.equal(helloWorld);
@@ -24,11 +48,7 @@ describe('stripTags', function() {
   });
 
   it('should strip tags on multiple lines', function() {
-    const multilineHtml =
-`<html>This's a string with quotes:</html>
-"strings in double quote";
-'strings in single quote';
-<html>this\line is single quoted /with\slashes </html>`;
+    const multilineHtml = '<html>This\'s a string with quotes:</html>\n"strings in double quote";\n\'strings in single quote\';\n<html>this\line is single quoted /with\slashes </html>';
     expect(v.stripTags(multilineHtml, '<html>')).to.be.equal(multilineHtml);
   });
 
@@ -59,6 +79,14 @@ describe('stripTags', function() {
     expect(v.stripTags('')).to.be.equal('');
   });
 
+  it('should add instead of stripped tags a special string', function() {
+    expect(v.stripTags('<li><b><a href="#" title="Title">Recently improved articles</a></b></li>', '', '*'))
+      .to.be.equal('***Recently improved articles***');
+    expect(v.stripTags('<b>Hello</b><i>World</i>', '<a>', ' ')).to.be.equal(' Hello  World ');
+    expect(v.stripTags('Line<br/>break', ['i'], ' ')).to.be.equal('Line break');
+  });
+
+
   it('should treat especially broken or invalid tags', function() {
     expect(v.stripTags('< html >')).to.be.equal('< html >');
     expect(v.stripTags('<<>>')).to.be.equal('');
@@ -72,6 +100,12 @@ describe('stripTags', function() {
   });
 
   it('should strip tags from a string representation of an object', function() {
+    expect(v.stripTags('<a href="#">Hello</a>')).to.equal('Hello');
+    expect(v.stripTags({
+      toString: function() {
+        return '<a href="#">Hello</a>';
+      }
+    }, '<a>')).to.equal('<a href="#">Hello</a>');
   });
 
   it('should return empty string for null or undefined', function() {