search

apostrophecms / sanitize-html

Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance
MIT License
3.79k stars 353 forks source link

Possible to allow any src for script tags? #507

Closed tuomassalo closed 2 years ago

tuomassalo commented 2 years ago

Hi! I'm using this package for naïve prettification of user-supplied HTML data, instead of sanitizing naughty inputs.

(Yes, I'm aware this might be somewhat out of the scope of the package. But then again, allowedTags:false is already there...)

With 1.x I could use:

      allowedTags: false,
      allowedAttributes: false,

to allow passing though <script src="[whatever]"></script>, but I fail to find how to do that with the current version.

What works: <script src="https://example.com"></script> and <script>alert(1)</script> are passed through as-is, as expected.

What doesn't work: <script src="//example.com"></script> becomes <script></script>, and so does <script src="foo.js"></script>.

I'm now abusing transformTags to prepend https: to protocol-relative urls, but that's hacky.

Any ideas on whether there is a way to allow any src value in a script tag?

boutell commented 2 years ago

I actually agree that this is a bug, in that in a context where src="https://foo..." is permitted, src="//foo... should also be permitted. So while allowing src on script isn't really one of our own frequent use cases, A PR would be welcome.

boutell commented 2 years ago

You could start with a PR containing a failing test.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.