Closed zhaolunallen closed 3 years ago
Garbage in > garbage out applies. <
isn't HTML, that should be <
. As it is not escaped the Go HTML parser believes you've opened another tag, and then it believes you've opened yet another within the other... so everything after the opening tag <
is ignored as garbage.
package main
import ( "fmt" "github.com/microcosm-cc/bluemonday" )
func main() { p := bluemonday.NewPolicy() html := p.Sanitize(
<a onblur="alert(secret)" href="http://www.google.com">0<x<2<3</a>
, ) // Output: 0 // expect 0<x<2<3 fmt.Println(html) }