jmanico
commented
4 years ago This is important. Templates were used to evade HTML Sanitization in DOMPurify. Here is some research on the topic.
https://securityaffairs.co/wordpress/83199/hacking/google-search-xss-flaw.html
-- Jim Manico @Manicode
On Apr 7, 2020, at 8:40 AM, Eugene Sokolov notifications@github.com wrote:
I'm trying to exclude a tag (template in the example below) and all content of it. I use disallowElements and disallowTextIn methods. With the tag it works fine, however I can't exclude the text anyhow.
Is there a bug or what is wrong with the code below?
Here is the code that I use:
var policy = new HtmlPolicyBuilder() .disallowElements("template") .disallowTextIn("template") .allowElements("h1") .toFactory();
var html = "
allowed text
excluded-text
";String result = policy.sanitize(html);
assertThat(result, equalTo("
allowed text
")); Result:Expected :
allowed text
Actual :allowed text
excluded-textThe HTML that is used in the example:
allowed text
excluded-text
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
I'm trying to exclude a tag (template in the example below) and all content of it.
I use disallowElements and disallowTextIn methods. With the tag it works fine, however I can't exclude the text anyhow.
Is there a bug or what is wrong with the code below?
Here is the code that I use:
Result:
The HTML that is used in the example:
Version: