how to avoid the escape attributes when has allowed

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS

https://github.com/microcosm-cc/bluemonday

BSD 3-Clause "New" or "Revised" License

3.12k stars 176 forks source link

how to avoid the escape attributes when has allowed #139

Closed madneal closed 2 years ago

madneal commented 2 years ago

for a html string

`<p style="white-space: pre-wrap;"><span style="background-image: url('aaaaaaa')"></span></p>`

If I use the policy

p := bluemonday.UGCPolicy()
p.AllowAttrs("style").OnElements("span", "p")

But the apostrophe of url attribute is still escaped. Is there any way to avoid being escaped.

buro9 commented 2 years ago

There is no way to avoid this, but it's also not an issue. A browser correctly parses the escaped output and the HTML is interpreted correctly and shown.

I've written a test case that uses a data-uri background image and it works fine in the two browsers I have at hand (Firefox and Chrome).