Only adding target="_blank" but not modifying any other HTML

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS

https://github.com/microcosm-cc/bluemonday

BSD 3-Clause "New" or "Revised" License

3.12k stars 176 forks source link

Only adding target="_blank" but not modifying any other HTML #140

Closed ColdHeat closed 2 years ago

ColdHeat commented 2 years ago

I'd like to use bluemonday to apply AddTargetBlankToFullyQualifiedLinks to HTML but not otherwise sanitize or modify any of the HTML even if the HTML is malicious.

This would let me use a policy as a sort of HTML processor.

Is there an existing way to do this?

I think ultimately this is asking is there a way to create a policy that allows any HTML? I theorized that maybe this could be done if using a permissive regex for AllowElementsMatching and also adding an AllowAttrsMatching as well.

buro9 commented 2 years ago

There isn't a way to do this using bluemonday, as the nature of it being whitelist based means that you would have to define a policy that accepted everything including HTML not yet defined or custom elements given meaning through CSS.

The core of the Sanitize() func can be copied though, and then strip out everything that would've sanitised.

Note that even if you do this, it will still escape HTML entities in the resulting HTML as that is part of the x\html package.