Resolves #111 carefully escape tag names

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS

https://github.com/microcosm-cc/bluemonday

BSD 3-Clause "New" or "Revised" License

3.12k stars 176 forks source link

Resolves #111 carefully escape tag names #112

Closed buro9 closed 3 years ago

buro9 commented 3 years ago

A regression of #56 occurred in which the use of ToLower allowed a Cyrillic upper-case I to be sanitised to a standard ASCII i and this would then permit SCRIPT tags to be injected.