Closed dmitshur closed 10 years ago
This is resolved by https://github.com/microcosm-cc/bluemonday/commit/e5dc5729273710c9747856d55005c7c250c4e767
I have added a test for the examples provided as well as providing a test suite for all regular expressions that we ship.
Thanks for fixing it so promptly!
Hi @buro9,
I think there's a bug in bluemonday. According to your comment,
I've added tests for that and noticed they failed.
I tried using bluemonday directly, and saw behavior counter to what you suggested. All three
class="foo bar bash"
,class="javascript:alert(123)"
, andclass="><script src='http://hackers.org/XSS.js'></script>"
were passed through, without failing and being stripped.Looking at the code, the reason is clear.
The regex doesn't have
^
at the front nor$
at the end, so it matches any substring. That's why<span class="javascript:alert(123)">there</span>
is not stripped, but<span class=":::::">there</span>
is stripped as expected.How to fix that... I leave to you (there's more than one way, and I'm not a fan of regexes).