Closed xemlock closed 5 years ago
Consider the following script:
<?php require './vendor/autoload.php'; $config = HTMLPurifier_Config::createDefault(); $config->set('HTML.SafeScripting', array('https://localhost/foo.js')); $purifier = new HTMLPurifier($config); echo $purifier->purify('<script type="text/javascript" src="https://localhost/bar.js">FOO</script>');
I believe the whole <script> tag, together with its text content, should be removed as invalid - because src attribute isn't included on the whitelist.
<script>
src
Instead <script> contents are inserted as-is, resulting in the following output:
FOO
Tested with HTMLPurifier 4.10.0, 4.9.3, 4.8.0.
I've just realized it's a duplicate of #198.
Consider the following script:
I believe the whole
<script>
tag, together with its text content, should be removed as invalid - becausesrc
attribute isn't included on the whitelist.Instead
<script>
contents are inserted as-is, resulting in the following output:Tested with HTMLPurifier 4.10.0, 4.9.3, 4.8.0.