From 58877119d3607a3a93903c426d47e69f9fc1eb74 Mon Sep 17 00:00:00 2001
From: Glauber <c1289581@bb.com.br>
Date: Mon, 22 Jul 2019 17:57:30 -0300
Subject: [PATCH 1/3] Added URI restriction whitelist

---
 HtmlSanitizer.js | 29 ++++++++++++++++++++++-------
 tests.html       |  4 ++++
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/HtmlSanitizer.js b/HtmlSanitizer.js
index b696c23..ed37291 100644
--- a/HtmlSanitizer.js
+++ b/HtmlSanitizer.js
@@ -22,7 +22,9 @@ var HtmlSanitizer = new (function () {
 
 	var schemaWhiteList_ = [ 'http:', 'https:', 'data:', 'm-files:', 'file:', 'ftp:' ]; //which "protocols" are allowed in "href", "src" etc
 
-	var uriAttributes_ = { 'href': true, 'action': true };
+	var uriAttributes_ = { 'href': true, 'action': true, 'src': true };
+	
+	var uriContainsWhiteList_ = [ ];
 
 	this.SanitizeHtml = function(input) {
 		input = input.trim();
@@ -71,7 +73,7 @@ var HtmlSanitizer = new (function () {
 						}
 						else {
 							if (uriAttributes_[attr.name]) { //if this is a "uri" attribute, that can have "javascript:" or something
-								if (attr.value.indexOf(":") > -1 && !startsWithAny(attr.value, schemaWhiteList_))
+								if (attr.value.indexOf(":") > -1 && !URIstartsWithAndContains(attr.value))
 									continue;
 							}
 							newNode.setAttribute(attr.name, attr.value);
@@ -95,17 +97,30 @@ var HtmlSanitizer = new (function () {
 			.replace(/div><div/g, "div>\n<div"); //replace is just for cleaner code
 	}
 
-	function startsWithAny(str, substrings) {
-		for (var i = 0; i < substrings.length; i++) {
-			if (str.indexOf(substrings[i]) == 0) {
-				return true;
+	function URIstartsWithAndContains(str) {
+		
+		var flag = false;
+		
+		//verify protocols
+		for (var i = 0; i < schemaWhiteList_.length; i++) {
+			if (str.indexOf(schemaWhiteList_[i]) == 0) {
+				flag = true;
 			}
 		}
-		return false;
+		
+		//verify url partials
+		for (var i = 0; i < uriContainsWhiteList_.length; i++) {
+			if (str.indexOf(uriContainsWhiteList_[i]) == -1) {
+				flag = false;
+			}
+		}
+		
+		return flag;
 	}
 
 	this.AllowedTags = tagWhitelist_;
 	this.AllowedAttributes = attributeWhitelist_;
 	this.AllowedCssStyles = cssWhitelist_;
 	this.AllowedSchemas = schemaWhiteList_;
+	this.AllowedAddresses = uriContainsWhiteList_;
 });
diff --git a/tests.html b/tests.html
index 3c7b3ee..2eca8c0 100644
--- a/tests.html
+++ b/tests.html
@@ -13,6 +13,10 @@
     <script src="https://code.jquery.com/qunit/qunit-2.9.1.js"></script>
 
     <script>
+    
+    //sample to add partial URI's whitlist 
+    //HtmlSanitizer.AllowedAddresses.push('domain.com');
+
     QUnit.test("Html Sanitizer", function( assert ) {
         assert.equal(HtmlSanitizer.SanitizeHtml("<div> <script> Alert('xss!'); </scr" + "ipt> </div>"), "<div>  </div>");
         assert.equal(HtmlSanitizer.SanitizeHtml("<p class='MsoNormal' style='margin-bottom:10.0pt;line-height:115%'><b>Official - SBU&nbsp;</b><o:p></o:p></p>"), "<p><b>Official - SBU&nbsp;</b></p>");

From a548629d0564478f6cbda7bdabec44aa902826aa Mon Sep 17 00:00:00 2001
From: Glauber <c1289581@bb.com.br>
Date: Wed, 24 Jul 2019 15:43:24 -0300
Subject: [PATCH 2/3] refactoring code

---
 ATTRIBUTIONS.md          |  5 ---
 HtmlSanitizer.js         | 68 +++++++++++++++++++++-------------------
 README.md                |  6 ++++
 tests.html => index.html |  0
 4 files changed, 42 insertions(+), 37 deletions(-)
 delete mode 100644 ATTRIBUTIONS.md
 rename tests.html => index.html (100%)

diff --git a/ATTRIBUTIONS.md b/ATTRIBUTIONS.md
deleted file mode 100644
index f512eec..0000000
--- a/ATTRIBUTIONS.md
+++ /dev/null
@@ -1,5 +0,0 @@
-This repo includes OSS code from:
-
-### StackOverflow
-
-Tag whitelisting is inspired by this answer: https://stackoverflow.com/a/28533511
diff --git a/HtmlSanitizer.js b/HtmlSanitizer.js
index ed37291..9c79cc7 100644
--- a/HtmlSanitizer.js
+++ b/HtmlSanitizer.js
@@ -1,32 +1,30 @@
-//JavaScript HTML Sanitizer, (c) Alexander Yumashev, Jitbit Software.
+/* 
+ * JavaScript HTML Sanitizer, (c) Alexander Yumashev, Jitbit Software.
+ * homepage https://github.com/jitbit/HtmlSanitizer
+ * License: GNU GPL v3 https://github.com/jitbit/HtmlSanitizer/blob/master/LICENSE
+ */
 
-//homepage https://github.com/jitbit/HtmlSanitizer
+var HtmlSanitizer = (function () {
 
-//License: GNU GPL v3 https://github.com/jitbit/HtmlSanitizer/blob/master/LICENSE
-
-console.log('Sanitizer loading');
-
-var HtmlSanitizer = new (function () {
-
-	var tagWhitelist_ = {
+	var _tagWhitelist = {
 		'A': true, 'ABBR': true, 'B': true, 'BLOCKQUOTE': true, 'BODY': true, 'BR': true, 'CENTER': true, 'CODE': true, 'DIV': true, 'EM': true, 'FONT': true,
 		'H1': true, 'H2': true, 'H3': true, 'H4': true, 'H5': true, 'H6': true, 'HR': true, 'I': true, 'IMG': true, 'LABEL': true, 'LI': true, 'OL': true, 'P': true, 'PRE': true,
 		'SMALL': true, 'SOURCE': true, 'SPAN': true, 'STRONG': true, 'TABLE': true, 'TBODY': true, 'TR': true, 'TD': true, 'TH': true, 'THEAD': true, 'UL': true, 'U': true, 'VIDEO': true
 	};
 
-	var contentTagWhiteList_ = { 'FORM': true }; //tags that will be converted to DIVs
+	var _contentTagWhiteList = { 'FORM': true }; //tags that will be converted to DIVs
 
-	var attributeWhitelist_ = { 'align': true, 'color': true, 'controls': true, 'height': true, 'href': true, 'src': true, 'style': true, 'target': true, 'title': true, 'type': true, 'width': true };
+	var _attributeWhitelist = { 'align': true, 'color': true, 'controls': true, 'height': true, 'href': true, 'src': true, 'style': true, 'target': true, 'title': true, 'type': true, 'width': true };
 
-	var cssWhitelist_ = { 'color': true, 'background-color': true, 'font-size': true, 'text-align': true, 'text-decoration': true, 'font-weight': true };
+	var _cssWhitelist = { 'color': true, 'background-color': true, 'font-size': true, 'text-align': true, 'text-decoration': true, 'font-weight': true };
 
-	var schemaWhiteList_ = [ 'http:', 'https:', 'data:', 'm-files:', 'file:', 'ftp:' ]; //which "protocols" are allowed in "href", "src" etc
+	var _schemaWhiteList = [ 'http:', 'https:', 'data:', 'm-files:', 'file:', 'ftp:' ]; //which "protocols" are allowed in "href", "src" etc
 
-	var uriAttributes_ = { 'href': true, 'action': true, 'src': true };
+	var _uriAttributes = { 'href': true, 'action': true, 'src': true };
 	
-	var uriContainsWhiteList_ = [ ];
+	var _uriContainsWhiteList = [ ];
 
-	this.SanitizeHtml = function(input) {
+	var SanitizeHtml = function(input) {
 		input = input.trim();
 		if (input == "") return ""; //to save performance and not create iframe
 
@@ -46,9 +44,12 @@ var HtmlSanitizer = new (function () {
 		iframedoc.body.innerHTML = input;
 
 		function makeSanitizedCopy(node) {
+			
+			var newNode;
+
 			if (node.nodeType == Node.TEXT_NODE) {
-				var newNode = node.cloneNode(true);
-			} else if (node.nodeType == Node.ELEMENT_NODE && (tagWhitelist_[node.tagName] || contentTagWhiteList_[node.tagName])) {
+				newNode = node.cloneNode(true);
+			} else if (node.nodeType == Node.ELEMENT_NODE && (_tagWhitelist[node.tagName] || _contentTagWhiteList[node.tagName])) {
 
 				//remove useless empty spans (lots of those when pasting from MS Outlook)
 				if ((node.tagName == "SPAN" || node.tagName == "B" || node.tagName == "I" || node.tagName == "U")
@@ -56,23 +57,23 @@ var HtmlSanitizer = new (function () {
 					return document.createDocumentFragment();
 				}
 
-				if (contentTagWhiteList_[node.tagName])
+				if (_contentTagWhiteList[node.tagName])
 					newNode = iframedoc.createElement('DIV'); //convert to DIV
 				else
 					newNode = iframedoc.createElement(node.tagName);
 
 				for (var i = 0; i < node.attributes.length; i++) {
 					var attr = node.attributes[i];
-					if (attributeWhitelist_[attr.name]) {
+					if (_attributeWhitelist[attr.name]) {
 						if (attr.name == "style") {
 							for (s = 0; s < node.style.length; s++) {
 								var styleName = node.style[s];
-								if (cssWhitelist_[styleName])
+								if (_cssWhitelist[styleName])
 									newNode.style.setProperty(styleName, node.style.getPropertyValue(styleName));
 							}
 						}
 						else {
-							if (uriAttributes_[attr.name]) { //if this is a "uri" attribute, that can have "javascript:" or something
+							if (_uriAttributes[attr.name]) { //if this is a "uri" attribute, that can have "javascript:" or something
 								if (attr.value.indexOf(":") > -1 && !URIstartsWithAndContains(attr.value))
 									continue;
 							}
@@ -102,15 +103,15 @@ var HtmlSanitizer = new (function () {
 		var flag = false;
 		
 		//verify protocols
-		for (var i = 0; i < schemaWhiteList_.length; i++) {
-			if (str.indexOf(schemaWhiteList_[i]) == 0) {
+		for (var i = 0; i < _schemaWhiteList.length; i++) {
+			if (str.indexOf(_schemaWhiteList[i]) == 0) {
 				flag = true;
 			}
 		}
 		
 		//verify url partials
-		for (var i = 0; i < uriContainsWhiteList_.length; i++) {
-			if (str.indexOf(uriContainsWhiteList_[i]) == -1) {
+		for (var k = 0; k < _uriContainsWhiteList.length; k++) {
+			if (str.indexOf(_uriContainsWhiteList[k]) == -1) {
 				flag = false;
 			}
 		}
@@ -118,9 +119,12 @@ var HtmlSanitizer = new (function () {
 		return flag;
 	}
 
-	this.AllowedTags = tagWhitelist_;
-	this.AllowedAttributes = attributeWhitelist_;
-	this.AllowedCssStyles = cssWhitelist_;
-	this.AllowedSchemas = schemaWhiteList_;
-	this.AllowedAddresses = uriContainsWhiteList_;
-});
+	return {
+		AllowedTags: _tagWhitelist,
+		AllowedAttributes: _attributeWhitelist,
+		AllowedCssStyles: _cssWhitelist,
+		AllowedSchemas: _schemaWhiteList,
+		AllowedAddresses: _uriContainsWhiteList,
+		SanitizeHtml: SanitizeHtml
+	}
+})();
diff --git a/README.md b/README.md
index dcbf52b..09cf3d9 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,12 @@ To add an allowed tag:
 HtmlSanitizer.AllowedTags['script'] = true;
 ```
 
+To allow only specific domains on "uri-attributes"
+
+```javascript
+HtmlSanitizer.AllowedAddresses.push('domain.com');
+```
+
 ## Browser support
 
 Supported by all major browsers, IE10 and higher.
diff --git a/tests.html b/index.html
similarity index 100%
rename from tests.html
rename to index.html

From 9c40d58da705904826b4d769b23e6675d7112690 Mon Sep 17 00:00:00 2001
From: Glauber <c1289581@bb.com.br>
Date: Wed, 24 Jul 2019 16:22:40 -0300
Subject: [PATCH 3/3] refactoring code part 2

---
 HtmlSanitizer.js | 36 +++++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/HtmlSanitizer.js b/HtmlSanitizer.js
index 9c79cc7..5ce0c11 100644
--- a/HtmlSanitizer.js
+++ b/HtmlSanitizer.js
@@ -11,25 +11,21 @@ var HtmlSanitizer = (function () {
 		'H1': true, 'H2': true, 'H3': true, 'H4': true, 'H5': true, 'H6': true, 'HR': true, 'I': true, 'IMG': true, 'LABEL': true, 'LI': true, 'OL': true, 'P': true, 'PRE': true,
 		'SMALL': true, 'SOURCE': true, 'SPAN': true, 'STRONG': true, 'TABLE': true, 'TBODY': true, 'TR': true, 'TD': true, 'TH': true, 'THEAD': true, 'UL': true, 'U': true, 'VIDEO': true
 	};
-
 	var _contentTagWhiteList = { 'FORM': true }; //tags that will be converted to DIVs
-
 	var _attributeWhitelist = { 'align': true, 'color': true, 'controls': true, 'height': true, 'href': true, 'src': true, 'style': true, 'target': true, 'title': true, 'type': true, 'width': true };
-
 	var _cssWhitelist = { 'color': true, 'background-color': true, 'font-size': true, 'text-align': true, 'text-decoration': true, 'font-weight': true };
-
 	var _schemaWhiteList = [ 'http:', 'https:', 'data:', 'm-files:', 'file:', 'ftp:' ]; //which "protocols" are allowed in "href", "src" etc
-
 	var _uriAttributes = { 'href': true, 'action': true, 'src': true };
-	
 	var _uriContainsWhiteList = [ ];
 
 	var SanitizeHtml = function(input) {
+
 		input = input.trim();
-		if (input == "") return ""; //to save performance and not create iframe
 
-		//firefox "bogus node" workaround
-		if (input == "<br>") return "";
+		//to save performance and not create iframe and firefox "bogus node" workaround
+		if (input == "" || input == "<br>") {
+			return ""
+		};
 
 		var iframe = document.createElement('iframe');
 		if (iframe['sandbox'] === undefined) {
@@ -40,7 +36,9 @@ var HtmlSanitizer = (function () {
 		iframe.style.display = 'none';
 		document.body.appendChild(iframe); // necessary so the iframe contains a document
 		var iframedoc = iframe.contentDocument || iframe.contentWindow.document;
-		if (iframedoc.body == null) iframedoc.write("<body></body>"); // null in IE
+		if (iframedoc.body == null){
+			iframedoc.write("<body></body>"); // null in IE
+		}
 		iframedoc.body.innerHTML = input;
 
 		function makeSanitizedCopy(node) {
@@ -57,10 +55,11 @@ var HtmlSanitizer = (function () {
 					return document.createDocumentFragment();
 				}
 
-				if (_contentTagWhiteList[node.tagName])
+				if (_contentTagWhiteList[node.tagName]) {
 					newNode = iframedoc.createElement('DIV'); //convert to DIV
-				else
+				} else {
 					newNode = iframedoc.createElement(node.tagName);
+				}
 
 				for (var i = 0; i < node.attributes.length; i++) {
 					var attr = node.attributes[i];
@@ -68,14 +67,16 @@ var HtmlSanitizer = (function () {
 						if (attr.name == "style") {
 							for (s = 0; s < node.style.length; s++) {
 								var styleName = node.style[s];
-								if (_cssWhitelist[styleName])
+								if (_cssWhitelist[styleName]){
 									newNode.style.setProperty(styleName, node.style.getPropertyValue(styleName));
+								}
 							}
 						}
 						else {
 							if (_uriAttributes[attr.name]) { //if this is a "uri" attribute, that can have "javascript:" or something
-								if (attr.value.indexOf(":") > -1 && !URIstartsWithAndContains(attr.value))
+								if (attr.value.indexOf(":") > -1 && !URIstartsWithAndContains(attr.value)){
 									continue;
+								}
 							}
 							newNode.setAttribute(attr.name, attr.value);
 						}
@@ -89,14 +90,14 @@ var HtmlSanitizer = (function () {
 				newNode = document.createDocumentFragment();
 			}
 			return newNode;
-		};
+		}
 
 		var resultElement = makeSanitizedCopy(iframedoc.body);
 		document.body.removeChild(iframe);
 		return resultElement.innerHTML
 			.replace(/<br[^>]*>(\S)/g, "<br>\n$1")
 			.replace(/div><div/g, "div>\n<div"); //replace is just for cleaner code
-	}
+	};
 
 	function URIstartsWithAndContains(str) {
 		
@@ -126,5 +127,6 @@ var HtmlSanitizer = (function () {
 		AllowedSchemas: _schemaWhiteList,
 		AllowedAddresses: _uriContainsWhiteList,
 		SanitizeHtml: SanitizeHtml
-	}
+	};
+
 })();