File tree Expand file tree Collapse file tree 2 files changed +16
-9
lines changed Expand file tree Collapse file tree 2 files changed +16
-9
lines changed Original file line number Diff line number Diff line change @@ -63,7 +63,7 @@ describe('Attributes to String', () => {
6363
6464 const resultString = attributeToString ( attr ) ;
6565
66- expect ( resultString ) . toEqual ( ' style=\"text-align:left; \" rows=\"4\" cols=\"2\" colWidths=\"250, 250\" <ls=\""></p><h1>test</h1><p class="\" ' )
66+ expect ( resultString ) . toEqual ( ' style=\"text-align:left; \" rows=\"4\" cols=\"2\" colWidths=\"250, 250\"' )
6767 done ( ) ;
6868 } ) ;
6969 it ( 'Should handle object attribute values correctly' , done => {
@@ -125,4 +125,16 @@ describe('Attributes to String', () => {
125125 expect ( resultString ) . toEqual ( ' safeKey="<script>alert(xss)</script>"' ) ;
126126 done ( ) ;
127127 } ) ;
128+ it ( 'Should ignore attributes with forbidden characters in keys' , done => {
129+ const attr = {
130+ "validKey" : "safeValue" ,
131+ 'in"valid' : "should be ignored" ,
132+ "another>invalid" : "should also be ignored"
133+ } as Attributes ;
134+
135+ const resultString = attributeToString ( attr ) ;
136+
137+ expect ( resultString ) . toEqual ( ' validKey="safeValue"' ) ;
138+ done ( ) ;
139+ } ) ;
128140} )
Original file line number Diff line number Diff line change @@ -60,11 +60,7 @@ export function attributeToString(attributes: Attributes): string {
6060 let result = '' ;
6161 for ( const key in attributes ) {
6262 if ( Object . prototype . hasOwnProperty . call ( attributes , key ) ) {
63- // Sanitize the key to prevent HTML injection
64- const sanitizedKey = replaceHtmlEntities ( key ) ;
65-
66- // Skip keys that contain forbidden characters (even after sanitization)
67- if ( forbiddenAttrChars . some ( char => sanitizedKey . includes ( char ) ) ) {
63+ if ( forbiddenAttrChars . some ( char => key . includes ( char ) ) ) {
6864 continue ;
6965 }
7066 let value = attributes [ key ] ;
@@ -76,14 +72,13 @@ export function attributeToString(attributes: Attributes): string {
7672 if ( Object . prototype . hasOwnProperty . call ( value , subKey ) ) {
7773 const subValue = value [ subKey ] ;
7874 if ( subValue != null && subValue !== '' ) {
79- elementString += `${ replaceHtmlEntities ( subKey ) } ${ replaceHtmlEntities ( String ( subValue ) ) } ;
75+ elementString += `${ subKey } ${ subValue } ;
8076 }
8177 }
8278 }
8379 value = elementString ;
8480 }
85- // Sanitize the value to prevent HTML injection
86- result += ` ${ sanitizedKey } ${ replaceHtmlEntities ( String ( value ) ) } ;
81+ result += ` ${ key } ${ replaceHtmlEntities ( String ( value ) ) } ;
8782 }
8883 }
8984 return result ;
You can’t perform that action at this time.
0 commit comments