href's allow inline javascript?

[wghilliard]

Hey, firstly thank you for all of the effort you put in to maintaining this library.

I think I've discovered a regression but wanted to post here to see if perhaps I'm just misunderstanding something.

In HtmlSanitizer version 7.1.488, the following HTML would be considered unsafe:

<a href='javascript:alert("xss")'>nyan cat</a>

Using something like the following:

 HtmlSanitizer sanitizer = new HtmlSanitizer(new HtmlSanitizerOptions()
 {
.
.
.
     AllowedSchemes = new HashSet<string>() { "http" }
 });

However, in version 8.1.860-beta, a AllowedSchemes violation doesn't seem to trigger a corresponding EventHandler?

This produces the following "safe" html:

<a href="javascript:alert(&quot;xss&quot;)">Anything here</a>

What are your thoughts? Am I missing something?

[mganss]

The UriAttributes property needs to include the href attribute. Perhaps it's best to use the default constructor to initialize with the default options and then add/remove entries from AllowedSchemes etc.

[wghilliard]

Okay I see, I didn't realize there was a new option, UriAttributes, added. After setting it to the default value my test cases pass.

Thank you for the clarification!