microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
https://github.com/microcosm-cc/bluemonday
BSD 3-Clause "New" or "Revised" License
3.2k stars 175 forks source link

Resolves #54 by removing AllowDocType functionality #55

Closed grafana-dee closed 6 years ago

grafana-dee commented 6 years ago

The doctype is not sanitized and can not be, and this allows unsafe content to be inserted into the output by encoding it within a doctype attribute. The only safe way to handle this quickly is not to permit the doctype.