Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance
MIT License
3.69k
stars
351
forks
source link
PRO-2076 no script tag bodies allowed at all when locking down to certain script sources #495
These don't purge the body of script tags *without* a src attribute, which defeats the purpose and was also strongly implied by the fact they purged the body when a script tag *does* have one.
Limiting the src attribute has no meaning if you can put the same malicious code right in the body, so this is a security fix, not a bc break.
Closes #494