Fix a few edge cases for XSS

lib/xss.js

@@ -59,7 +59,7 @@ TagParser.prototype.parse = function () {
 
     // Attributes
     var attrs = {};
-    while (this.text[this.i] !== ">") {
+    while (this.i < this.text.length && this.text[this.i] !== ">") {
         var key = this.readLiteralOrString(/[^\s=>]/);
         this.skipWhitespace();
         if (this.text[this.i] !== "=") {
@@ -77,7 +77,10 @@ TagParser.prototype.parse = function () {
         }
         this.skipWhitespace();
     }
+
+    if (this.i < this.text.length) {
         this.i++;
+    }
 
     return {
         tagName: tname,
@@ -153,9 +156,17 @@ function sanitizeHTML(str) {
         for (var k in t.attributes) {
             if (k.match(badAttrs)) {
                 delete t.attributes[k];
-            } else if (t.attributes[k].match(badAttrValues)) {
+            } else  {
+                if (t.attributes[k].match(badAttrValues)) {
                     t.attributes[k] = t.attributes[k].replace(badAttrValues, "");
                 }
+
+                var k2 = k.replace(/[^\w]/g, "");
+                if (k2 !== k) {
+                    t.attributes[k2] = t.attributes[k];
+                    delete t.attributes[k];
+                }
+            }
         }
         var fmt = "<" + t.tagName;
         for (var k in t.attributes) {

tests/xss.js

@@ -10,6 +10,11 @@ function basicTest() {
 
     assert(sanitize("<a href='javascript:alert(document.cookie)'>") === 
                     "<a href=\":()\">");
+
+    assert(sanitize("<a ") === "<a>");
+
+    assert(sanitize("<img src=\"<a href=\"javascript:void(0)\">>") ===
+                    "<img src=\"<a href=\" javascriptvoid0=\"\">>");
 }
 
 basicTest();