Improved XXS

2026-04-27 10:32:11 +02:00
parent 25975eb89a
commit a65219759d
7 changed files with 29 additions and 19 deletions
--- a/dist/sigpro.esm.js
+++ b/dist/sigpro.esm.js
@@ -244,7 +244,8 @@ var cleanupNode = (node) => {
    node.childNodes.forEach((n) => cleanupNode(n));
 };
 var DANGEROUS_PROTOCOL = /^\s*(javascript|data|vbscript):/i;
-var isDangerousAttr = (key) => key === "src" || key === "href" || key.startsWith("on");
+var DANGEROUS_URI_ATTRS = new Set(["src", "href", "formaction", "action", "background", "code", "archive"]);
 var isDangerousAttr = (key) => DANGEROUS_URI_ATTRS.has(key) || key.startsWith("on");
 var validateAttr = (key, val) => {
  if (val == null || val === false)
    return null;
@@ -298,8 +299,9 @@ var h = (tag, props = {}, children = []) => {
      continue;
    }
    if (isSVG && k.startsWith("xlink:")) {
-      const ns = "http://www.w3.org/1999/xlink";
+      const cleanVal = validateAttr(k.slice(6), v);
-      v == null ? el.removeAttributeNS(ns, k.slice(6)) : el.setAttributeNS(ns, k.slice(6), v);
+      let lnk = "http://www.w3.org/1999/xlink";
      cleanVal == null ? el.removeAttributeNS(lnk, k.slice(6)) : el.setAttributeNS(lnk, k.slice(6), cleanVal);
      continue;
    }
    if (k.startsWith("on")) {
--- a/dist/sigpro.esm.min.js
+++ b/dist/sigpro.esm.min.js
--- a/dist/sigpro.js
+++ b/dist/sigpro.js
@@ -300,7 +300,8 @@
      node.childNodes.forEach((n) => cleanupNode(n));
  };
  var DANGEROUS_PROTOCOL = /^\s*(javascript|data|vbscript):/i;
-  var isDangerousAttr = (key) => key === "src" || key === "href" || key.startsWith("on");
+  var DANGEROUS_URI_ATTRS = new Set(["src", "href", "formaction", "action", "background", "code", "archive"]);
  var isDangerousAttr = (key) => DANGEROUS_URI_ATTRS.has(key) || key.startsWith("on");
  var validateAttr = (key, val) => {
    if (val == null || val === false)
      return null;
@@ -354,8 +355,9 @@
        continue;
      }
      if (isSVG && k.startsWith("xlink:")) {
-        const ns = "http://www.w3.org/1999/xlink";
+        const cleanVal = validateAttr(k.slice(6), v);
-        v == null ? el.removeAttributeNS(ns, k.slice(6)) : el.setAttributeNS(ns, k.slice(6), v);
+        let lnk = "http://www.w3.org/1999/xlink";
        cleanVal == null ? el.removeAttributeNS(lnk, k.slice(6)) : el.setAttributeNS(lnk, k.slice(6), cleanVal);
        continue;
      }
      if (k.startsWith("on")) {
--- a/dist/sigpro.min.js
+++ b/dist/sigpro.min.js
--- a/docs/sigpro.js
+++ b/docs/sigpro.js
@@ -300,7 +300,8 @@
      node.childNodes.forEach((n) => cleanupNode(n));
  };
  var DANGEROUS_PROTOCOL = /^\s*(javascript|data|vbscript):/i;
-  var isDangerousAttr = (key) => key === "src" || key === "href" || key.startsWith("on");
+  var DANGEROUS_URI_ATTRS = new Set(["src", "href", "formaction", "action", "background", "code", "archive"]);
  var isDangerousAttr = (key) => DANGEROUS_URI_ATTRS.has(key) || key.startsWith("on");
  var validateAttr = (key, val) => {
    if (val == null || val === false)
      return null;
@@ -354,8 +355,9 @@
        continue;
      }
      if (isSVG && k.startsWith("xlink:")) {
-        const ns = "http://www.w3.org/1999/xlink";
+        const cleanVal = validateAttr(k.slice(6), v);
-        v == null ? el.removeAttributeNS(ns, k.slice(6)) : el.setAttributeNS(ns, k.slice(6), v);
+        let lnk = "http://www.w3.org/1999/xlink";
        cleanVal == null ? el.removeAttributeNS(lnk, k.slice(6)) : el.setAttributeNS(lnk, k.slice(6), cleanVal);
        continue;
      }
      if (k.startsWith("on")) {
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "sigpro",
-  "version": "1.2.20",
+  "version": "1.2.21",
  "type": "module",
  "license": "MIT",
  "main": "./dist/sigpro.esm.min.js",
@@ -28,10 +28,10 @@
  "homepage": "https://sigpro.natxocc.com/#/",
  "repository": {
    "type": "git",
-    "url": "https://git.natxocc.com/natxocc/sigpro"
+    "url": "https://github.com/natxocc/sigpro"
  },
  "bugs": {
-    "url": "https://git.natxocc.com/natxocc/sigpro/issues"
+    "url": "https://github.com/natxocc/sigpro/issues"
  },
  "scripts": {
    "clean": "rm -rf dist",
--- a/sigpro.js
+++ b/sigpro.js
@@ -230,8 +230,9 @@ const cleanupNode = (node) => {
  if (node.childNodes) node.childNodes.forEach(n => cleanupNode(n));
 };
-const DANGEROUS_PROTOCOL = /^\s*(javascript|data|vbscript):/i
+var DANGEROUS_PROTOCOL = /^\s*(javascript|data|vbscript):/i;
-const isDangerousAttr = key => key === 'src' || key === 'href' || key.startsWith('on')
+var DANGEROUS_URI_ATTRS = new Set(["src", "href", "formaction", "action", "background", "code", "archive"]);
 var isDangerousAttr = (key) => DANGEROUS_URI_ATTRS.has(key) || key.startsWith("on");
 const validateAttr = (key, val) => {
  if (val == null || val === false) return null
@@ -292,9 +293,12 @@ const h = (tag, props = {}, children = []) => {
      continue
    }
    if (isSVG && k.startsWith("xlink:")) {
-      const ns = "http://www.w3.org/1999/xlink"
+      const cleanVal = validateAttr(k.slice(6), v);
-      v == null ? el.removeAttributeNS(ns, k.slice(6)) : el.setAttributeNS(ns, k.slice(6), v)
+      let lnk = "http://www.w3.org/1999/xlink"
-      continue
+      cleanVal == null
        ? el.removeAttributeNS(lnk, k.slice(6))
        : el.setAttributeNS(lnk, k.slice(6), cleanVal);
      continue;
    }
    if (k.startsWith("on")) {
      const ev = k.slice(2).toLowerCase()