search

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Other
834 stars 209 forks source link

Incorrect escaping for inline svg+xml data image #270

Open brsyuksel opened 1 year ago

brsyuksel commented 1 year ago

HtmlSanitizer encodes the given input to <img src="data:image/svg&#43;xml" /> that should be <img src="data:image/svg+xml" />

Since svg&#43;xml is not recognizable mimetype for browsers, they are just ignored.