search

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
https://github.com/microcosm-cc/bluemonday
BSD 3-Clause "New" or "Revised" License
3.14k stars 176 forks source link

Fix href sanitization bugs #103

Closed fewstera closed 4 years ago

fewstera commented 4 years ago

This PR fixes two issues.

The first issue is that if you have two query params with the same name, only the last param is included in the sanitized result. See the following test case for an example.

    TestLinks: sanitize_test.go:171: test 9 failed;
        input   : <a href="?q=1&q=2">
        output  : <a href="?q=2" rel="nofollow">
        expected: <a href="?q=1&q=2" rel="nofollow">

The second issue this PR fixes is that characters inside the query params are HTML encoded. Take the following query.

?json=%7B%22value%22%3A%22a%22%7D

key value
json {"value":"a"}

After sanitization the query becomes the following, which is a bug as the query is no longer valid JSON.:

?json=%7B%26%2334%3Bvalue%26%2334%3B%3A%26%2334%3Ba%26%2334%3B%7D

key value
json {&#34;value&#34;:&#34;a&#34;}
buro9 commented 4 years ago

This is a nice catch, and a great PR. Thanks 👍

fewstera commented 4 years ago

Thank you for the quick review & merge @buro9.

Do you mind releasing a new version with this fix too please?

buro9 commented 4 years ago

Published