there is a badcase about filter html tags

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS

https://github.com/microcosm-cc/bluemonday

BSD 3-Clause "New" or "Revised" License

3.14k stars 176 forks source link

there is a badcase about filter html tags #102

Closed zhaolunallen closed 3 years ago

zhaolunallen commented 4 years ago

package main

import ( "fmt" "github.com/microcosm-cc/bluemonday" )

func main() { p := bluemonday.NewPolicy() html := p.Sanitize( <a onblur="alert(secret)" href="http://www.google.com">0<x<2<3</a>, ) // Output: 0 // expect 0<x<2<3 fmt.Println(html) }

buro9 commented 3 years ago

Garbage in > garbage out applies. < isn't HTML, that should be <. As it is not escaped the Go HTML parser believes you've opened another tag, and then it believes you've opened yet another within the other... so everything after the opening tag < is ignored as garbage.