multiple matching global matchers can cause duplicated attributes

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS

https://github.com/microcosm-cc/bluemonday

BSD 3-Clause "New" or "Revised" License

3.08k stars 178 forks source link

multiple matching global matchers can cause duplicated attributes #208

Closed rmmh closed 1 week ago

rmmh commented 1 month ago

    p := bluemonday.NewPolicy()
    p.AllowElements("span")
    // extracted from p.AllowStandardAttributes()
    p.AllowAttrs("title").Matching(bluemonday.Paragraph).Globally()
    p.AllowAttrs("title").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).Globally()
    fmt.Println(p.Sanitize(`<span title="a">b</span>`))

Surprisingly outputs <span title="a" title="a">b</span>. Changing the second AllowAttrs to end with .MatchElements("span") fixes it.

FiloSottile commented 1 week ago

Thank you for the clear reproducer!