search

bevacqua / insane

:pouting_cat: Lean and configurable whitelist-oriented HTML sanitizer
https://ponyfoo.com
MIT License
449 stars 22 forks source link

Crashes under default config when given '<div class>' #16

Closed JoshuaKGoldberg closed 6 months ago

JoshuaKGoldberg commented 4 years ago 
insane('<div class>');

You'll get aTypeError: Cannot read property 'split' of undefined in sanitizer.js from:

if (lkey === 'class' && attrsOk.indexOf(lkey) === -1) {
  value = value.split(' ').filter(isValidClass).join(' ').trim();
  valid = value.length;
} else {

This is because value is undefined. I'd suggest the two lines be changed to:

if (value) {
  value = value.split(' ').filter(isValidClass).join(' ').trim()
}
valid = !value || value.length;
JoshuaKGoldberg commented 3 years ago

Ping @bevacqua, do you still have time to maintain this library? I'd be happy to drop in if needed.

JoshuaKGoldberg commented 6 months ago

Closing out my old issues I no longer have context on. If anybody else is still seeing this, I'd encourage you to file a new issue with more information. Cheers!