search

mganss / HtmlSanitizer

Cleans HTML to avoid XSS attacks
MIT License
1.52k stars 198 forks source link

Demo uses old version #428

Closed glen-84 closed 1 year ago

glen-84 commented 1 year ago

The demo is using version 6.0.409.0, whereas the latest version is 8.0.645.

mganss commented 1 year ago

Fixed

glen-84 commented 1 year ago

@mganss

Where can I find the source code for the demo?

For some reason my code is stripping out the style attribute in this input:

<img src="test.png" style="background-image: url(javascript:alert('xss')); margin: 10px">

But it doesn't happen with the demo, so I want to compare the configurations.

glen-84 commented 1 year ago

Ah, never mind, I just noticed this in a doc comment:

Sanitizes the specified parsed HTML body fragment. If the document has not been parsed with CSS support then all styles will be removed.