Closed fewstera closed 4 years ago
This PR fixes two issues.
The first issue is that if you have two query params with the same name, only the last param is included in the sanitized result. See the following test case for an example.
TestLinks: sanitize_test.go:171: test 9 failed; input : <a href="?q=1&q=2"> output : <a href="?q=2" rel="nofollow"> expected: <a href="?q=1&q=2" rel="nofollow">
The second issue this PR fixes is that characters inside the query params are HTML encoded. Take the following query.
?json=%7B%22value%22%3A%22a%22%7D
After sanitization the query becomes the following, which is a bug as the query is no longer valid JSON.:
?json=%7B%26%2334%3Bvalue%26%2334%3B%3A%26%2334%3Ba%26%2334%3B%7D
This is a nice catch, and a great PR. Thanks 👍
Thank you for the quick review & merge @buro9.
Do you mind releasing a new version with this fix too please?
Published
This PR fixes two issues.
The first issue is that if you have two query params with the same name, only the last param is included in the sanitized result. See the following test case for an example.
The second issue this PR fixes is that characters inside the query params are HTML encoded. Take the following query.
?json=%7B%22value%22%3A%22a%22%7D
After sanitization the query becomes the following, which is a bug as the query is no longer valid JSON.:
?json=%7B%26%2334%3Bvalue%26%2334%3B%3A%26%2334%3Ba%26%2334%3B%7D