Closed LolliDepp closed 3 years ago
Are you sure that's the result? I'm getting
\n<img onerror=alert(document.domain) src\n\n<div><br></div>
The parser sees an element whose name is img<svg
which has a script
child element which in turn has no children but the text content <script><img onerror=alert(document.domain) src\n\n<div><br></div></script>
.
I see, I missed an HtmlDecode
call - the current behaviour makes perfect sense.
Thanks for the answer
With the
KeepChildNodes
flag set totrue
, the following string:\n<img<svg><script><img onerror=alert(document.domain) src\n\n<div><br></div>
gets sanitised to:\n<img onerror=alert(document.domain) src\n\n<div><br></div>
Even with the
KeepChildNodes
flag set totrue
I'd expect the onerror to be sanitised, but maybe that's just a misunderstanding of the capabilities of the library.Setting
KeepChildNodes
tofalse
results in the string\n