Remove the XSS filter.

The xss() function was originally a port of the XSS filter from
CodeIgniter. I added it to the library because there wasn't an
alternative at the time. Unfortunately I don't have the time or
expertise to maintain the XSS filter or keep merging upstream
changes.

If you need one for your app, I suggest looking at Caja sanitisation
engine maintained by Google. (https://code.google.com/p/google-caja/
source/browse/trunk/src/com/google/caja/plugin/html-sanitizer.js)

Closes #123, #138, #181, #206, #210, #221, #223, #226, #227, #231, #232

README.md

@@ -34,7 +34,6 @@ var int = sanitize('0123').toInt();                  //123
 var bool = sanitize('true').toBoolean();             //true
 var str = sanitize(' \t\r hello \n').trim();         //'hello'
 var str = sanitize('aaaaaaaaab').ltrim('a');         //'b'
-var str = sanitize(large_input_str).xss();
 var str = sanitize('&lt;a&gt;').entityDecode();      //'<a>'
 ```
 
@@ -58,7 +57,6 @@ get('/', function (req, res) {
     req.checkHeader('referer').contains('localhost');
 
     //Sanitize user input
-    req.sanitize('textarea').xss();
     req.sanitize('foo').toBoolean();
 
     //etc.
@@ -130,8 +128,6 @@ toBooleanStrict()               //False unless str = '1' or 'true'
 entityDecode()                  //Decode HTML entities
 entityEncode()
 escape()                        //Escape &, <, >, and "
-xss()                           //Remove common XSS attack vectors from user-supplied HTML
-xss(true)                       //Remove common XSS attack vectors from images
 ```
 
 ## Extending the library
@@ -221,7 +217,6 @@ var errors = validator.getErrors(); // ['Invalid email', 'String is too small']
 - [oris](https://github.com/orls) - Added in()
 - [mren](https://github.com/mren) - Decoupled rules
 - [Thorsten Basse](https://github.com/tbasse) - Cleanup and refinement of existing validators
-- [Neal Poole](https://github.com/nealpoole) - Port the latest xss() updates from CodeIgniter
 
 ## LICENSE
 

lib/filter.js

@@ -1,5 +1,4 @@
 var entities = require('./entities');
-var xss = require('./xss');
 
 var Filter = exports.Filter = function() {}
 
@@ -28,11 +27,6 @@ Filter.prototype.convert = Filter.prototype.sanitize = function(str) {
     return this;
 }
 
-Filter.prototype.xss = function(is_image) {
-    this.modify(xss.clean(this.str, is_image));
-    return this.wrap(this.str);
-}
-
 Filter.prototype.entityDecode = function() {
     this.modify(entities.decode(this.str));
     return this.wrap(this.str);

package.json

@@ -2,7 +2,7 @@
   "description"   : "Data validation, filtering and sanitization for node.js",
   "version"       : "1.5.1",
   "homepage"      : "http://github.com/chriso/node-validator",
-  "keywords"      : ["validator", "validation", "assert", "params", "sanitization", "xss", "entities", "sanitize", "sanitisation", "input"],
+  "keywords"      : ["validator", "validation", "assert", "params", "sanitization", "entities", "sanitize", "sanitisation", "input"],
   "author"        : "Chris O'Hara <cohara87@gmail.com>",
   "main"          : "./lib",
   "directories"   : { "lib" : "./lib" },

test/filter.test.js

@@ -132,39 +132,6 @@ module.exports = {
         assert.equal('½', Filter.sanitize('½').entityEncode());
     },
 
-    'test #xss()': function () {
-        //Need more tests!
-        assert.equal('[removed] foobar', Filter.sanitize('javascript  : foobar').xss());
-        assert.equal('[removed] foobar', Filter.sanitize('j a vasc ri pt: foobar').xss());
-        assert.equal('<a >some text</a>', Filter.sanitize('<a href="javascript:alert(\'xss\')">some text</a>').xss());
-
-        assert.equal('<s <> <s >This is a test</s>', Filter.sanitize('<s <onmouseover="alert(1)"> <s onmouseover="alert(1)">This is a test</s>').xss());
-        assert.equal('<a >">test</a>', Filter.sanitize('<a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a>').xss());
-        assert.equal('<div ><h1>You have won</h1>Please click the link and enter your login details: <a href="http://example.com/">http://good.com</a></div>', Filter.sanitize('<div style="z-index: 9999999; background-color: green; width: 100%; height: 100%"><h1>You have won</h1>Please click the link and enter your login details: <a href="http://example.com/">http://good.com</a></div>').xss());
-        assert.equal('<scrRedirec[removed]t 302ipt type="text/javascript">prompt(1);</scrRedirec[removed]t 302ipt>', Filter.sanitize('<scrRedirecRedirect 302t 302ipt type="text/javascript">prompt(1);</scrRedirecRedirect 302t 302ipt>').xss());
-        assert.equal('<img src="a" ', Filter.sanitize('<img src="a" onerror=\'eval(atob("cHJvbXB0KDEpOw=="))\'').xss());
-
-
-        // Source: http://blog.kotowicz.net/2012/07/codeigniter-210-xssclean-cross-site.html
-        assert.equal('<img src=">" >', Filter.sanitize('<img/src=">" onerror=alert(1)>').xss());
-        assert.equal('<button a=">" autofocus ></button>', Filter.sanitize('<button/a=">" autofocus onfocus=alert&#40;1&#40;></button>').xss());
-        assert.equal('<button a=">" autofocus >', Filter.sanitize('<button a=">" autofocus onfocus=alert&#40;1&#40;>').xss());
-        assert.equal('<a target="_blank">clickme in firefox</a>', Filter.sanitize('<a target="_blank" href="data:text/html;BASE64youdummy,PHNjcmlwdD5hbGVydCh3aW5kb3cub3BlbmVyLmRvY3VtZW50LmRvY3VtZW50RWxlbWVudC5pbm5lckhUTUwpPC9zY3JpcHQ+">clickme in firefox</a>').xss());
-        assert.equal('<a/\'\'\' target="_blank" href=[removed]PHNjcmlwdD5hbGVydChvcGVuZXIuZG9jdW1lbnQuYm9keS5pbm5lckhUTUwpPC9zY3JpcHQ+>firefox11</a>', Filter.sanitize('<a/\'\'\' target="_blank" href=data:text/html;;base64,PHNjcmlwdD5hbGVydChvcGVuZXIuZG9jdW1lbnQuYm9keS5pbm5lckhUTUwpPC9zY3JpcHQ+>firefox11</a>').xss());
-
-        var url = 'http://www.example.com/test.php?a=b&b=c&c=d';
-        assert.equal(url, Filter.sanitize(url).xss());
-    },
-
-    'test chaining': function () {
-        assert.equal('&amp;amp;amp;', Filter.sanitize('&').chain().entityEncode().entityEncode().entityEncode().value());
-
-        //Return the default behaviour
-        Filter.wrap = function (str) {
-            return str;
-        }
-    },
-
     'test #escape': function () {
         assert.equal('&amp;&lt;&quot;&gt;', Filter.sanitize('&<">').escape());
     }