search

apostrophecms / sanitize-html

Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance
MIT License
3.69k stars 351 forks source link

nonTextTags is not working for script tag #494

Closed greg-md closed 2 years ago

greg-md commented 2 years ago

I want to allow script tags only with src attributes from specific domains, but nonTextTags: ['script'] option doesn't remove the code contents from it.

Or, is there other way to remove script contents?

To Reproduce

const content = sanitizeHtml('<script src="https://apps.elfsight.com/p/platform.js"></script><script>alert(1)</script>', {
    allowedTags: ['script'],
    allowedAttributes: {
        script: ['src'],
    },
    nonTextTags: ['script'],
    allowedScriptHostnames: ['apps.elfsight.com'],
});

Expected behavior

Should return:

<script src="https://apps.elfsight.com/p/platform.js"></script><script></script>
// or even better, without empty script tag:
<script src="https://apps.elfsight.com/p/platform.js"></script>

Describe the bug

It doesn't cleanup script contents. Returns the same:

<script src="https://apps.elfsight.com/p/platform.js"></script><script>alert(1)</script>

Details

It doesn't work in latest version 2.5.0.

boutell commented 2 years ago

I can reproduce this issue. The intent was made clear by the code that cleans out the content if an allowed source is present, so it doesn't make any sense to keep the content if no source at all is present.

greg-md commented 2 years ago

Thank you for fixing it fast! 🎉