Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sanitize.HTMLAllowing() breaks when encountering a self-closing iframe tag #27

Open
dy-dx opened this issue May 7, 2019 · 2 comments
Open

sanitize.HTMLAllowing() breaks when encountering a self-closing iframe tag #27

dy-dx opened this issue May 7, 2019 · 2 comments

Comments

@dy-dx
Copy link

dy-dx commented May 7, 2019 

package main

import (
	"fmt"

	"github.com/kennygrant/sanitize"
)

func main() {
	input1 := `<iframe></iframe><script>alert('uh oh');</script><p>hello</p>`
	input2 := `<iframe /><script>alert('uh oh');</script><p>hello</p>`

	allowedTags := []string{"p"}

	output1, _ := sanitize.HTMLAllowing(input1, allowedTags)
	fmt.Println(output1) // <p>hello</p>

	output2, _ := sanitize.HTMLAllowing(input2, allowedTags)
	fmt.Println(output2) // &lt;script&gt;alert(&#39;uh oh&#39;);&lt;/script&gt;&lt;p&gt;hello&lt;/p&gt;
}
@kennygrant
Copy link
Owner

Thanks. I assume the expected output in both cases is:

<p>hello</p>

Because it should be removing both the iframe and the script tags, but instead doesn't remove them and ends up escaping them instead? So it's over-escaping here and you end up with all the escaped html in output2 rather than just the expected paragraph.

Is that a fair summary?

@dy-dx
Copy link
Author

dy-dx commented May 13, 2019

Yes, that's exactly right.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kennygrant @dy-dx