PRO-2076 no script tag bodies allowed at all when locking down to certain script sources

apostrophecms / sanitize-html

Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance

MIT License

3.69k stars 351 forks source link

PRO-2076 no script tag bodies allowed at all when locking down to certain script sources #495

Closed boutell closed 2 years ago

boutell commented 2 years ago

Limiting the src attribute has no meaning if you can put the same malicious code right in the body, so this is a security fix, not a bc break.

Closes #494

linear[bot] commented 2 years ago

PRO-2076 sanitize-html security hole in new allowedScriptDomains / allowedScriptHostnames options

These don't purge the body of script tags *without* a src attribute, which defeats the purpose and was also strongly implied by the fact they purged the body when a script tag *does* have one.