sanitize.HTMLAllowing() breaks when encountering a self-closing iframe tag

kennygrant / sanitize

Package sanitize provides functions for sanitizing text in golang strings.

BSD 3-Clause "New" or "Revised" License

334 stars 72 forks source link

sanitize.HTMLAllowing() breaks when encountering a self-closing iframe tag #27

Open dy-dx opened 5 years ago

dy-dx commented 5 years ago

package main

import (
    "fmt"

    "github.com/kennygrant/sanitize"
)

func main() {
    input1 := `<iframe></iframe><script>alert('uh oh');</script><p>hello</p>`
    input2 := `<iframe /><script>alert('uh oh');</script><p>hello</p>`

    allowedTags := []string{"p"}

    output1, _ := sanitize.HTMLAllowing(input1, allowedTags)
    fmt.Println(output1) // <p>hello</p>

    output2, _ := sanitize.HTMLAllowing(input2, allowedTags)
    fmt.Println(output2) // &lt;script&gt;alert(&#39;uh oh&#39;);&lt;/script&gt;&lt;p&gt;hello&lt;/p&gt;
}

kennygrant commented 5 years ago

Thanks. I assume the expected output in both cases is:

<p>hello</p>

Because it should be removing both the iframe and the script tags, but instead doesn't remove them and ends up escaping them instead? So it's over-escaping here and you end up with all the escaped html in output2 rather than just the expected paragraph.

Is that a fair summary?

dy-dx commented 5 years ago

Yes, that's exactly right.