JBustin
commented
2 years ago Hello
Thanks for the share of code. @contributors, have you got any idea or plan to fix that ?
Regards
Closed nkoehring closed 2 years ago
JBustin
commented
2 years ago Hello
Thanks for the share of code. @contributors, have you got any idea or plan to fix that ?
Regards
nkoehring
commented
2 years ago Hi @JBustin . I'm not at the company anymore since a while so I might remember things wrong. But is it somehow possible to use spaces as additional delimiter?
The only actually save way would be using an actual parser though. There are quite some HTML parser implementations already.
JBustin
commented
2 years ago Thanks @nkoehring for your fast feedback. I have made my own directive based on https://github.com/apostrophecms/sanitize-html to support this case.
LostCrew
commented
2 years ago @nkoehring Fixed in https://github.com/ecosia/vue-safe-html/releases/tag/v2.2.0
nkoehring
commented
2 years ago Nice! I see you're using word boundary (\w) now, which makes sense. The Regular Expression looks a bit crazy now, but great to see it being developed further!
Describe the bug The regular expression used to sanitize is filtering for everything that starts with
allowedTag, optionally followed by something until a closing>. This allows some tags to slip through, for example<blockquote>if only<b>is allowed or even worse<script>if only<s>should be allowed.To Reproduce Steps to reproduce the behavior: https://codesandbox.io/s/stoic-field-kbpif?file=/src/index.js
Expected behavior If a tag is allowed, it should not implicitly allow any other tag.