search

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
https://github.com/microcosm-cc/bluemonday
BSD 3-Clause "New" or "Revised" License
3.14k stars 176 forks source link

Allowing img and whitelisting src urls #101

Closed prologic closed 4 years ago

prologic commented 4 years ago

Say I want to allow img elements, but filter the src(s) so only some domains/patterns of image sources are allowed? How would I go about this?

buro9 commented 4 years ago

The readme has a section on links that show you how to approach this: https://github.com/microcosm-cc/bluemonday#links

p.AllowAttrs("href").Matching(regexp.MustCompile(`(?i)mailto|https?`)).OnElements("a")

But bear in mind that you will have to create your own policy rather than use the built-in policies as those would permit all safe IMG src values already. Additionally read the warning on the readme, by applying your own regex there is a risk that you are not handling URI encoding that could be exploited.... if your knowledge of valid URIs is comprehensive you should be able to safely craft a regexp to match those.

prologic commented 4 years ago

Thank you! I somehow missed that on the README (sorry!) 🙇‍♂️