Closed ghost closed 1 year ago
Since browsers interpret it correctly I don't regard it as a security issue, but I agree it is not ideal output. It would make more sense for the additional <'s to get escaped or something.
Would you be interested in submitting a PR?
On Tue, May 3, 2022 at 10:09 AM Ilya @.***> wrote:
I found several variants of the library's incorrect behavior. In the examples below, it is possible to add any html tag if any tag is allowed. Example 1:
const sanitizeHtml = require('sanitize-html');
const sanitizedString = sanitizeHtml('<div/', { allowedTags: ['b'], });
Expected behavior
As a result of the execution I expect to see or a empty line. However, I get
Example 2:
const sanitizeHtml = require('sanitize-html'); const HTMLParser = require('node-html-parser');
const sanitizedString = sanitizeHtml('<b<<div/', { allowedTags: ['b'], });
console.log(sanitizedString) // </b< const unespectedDiv = HTMLParser.parse(sanitizedString).querySelector('div'); console.log(unespectedDiv); Expected behavior As a result of the execution I expect to see or a empty line.
However, I get </b< -- THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER
APOSTROPHECMS | apostrophecms.com | he/him/his I completely agree with you and it is not a security risk, but in some scenarios it can lead to unexpected results. However, I'm not sure I'm the best candidate for fixing this behavior. I just wanted to share some research.ghost
commented
2 years ago
I found several variants of the library's incorrect behavior. In the examples below, it is possible to add any html tag (closing tag with valid HTML as well as opening tag with invalid HTML) if any tag is allowed.
Example 1:
Expected behavior
Example 2:
Expected behavior