bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
BSD 3-Clause "New" or "Revised" License
3.14k
stars
176
forks
source link
Use of strings.ToLower() incorrectly escapes chars and allows for insertion of scripts #56
Closed
buro9 closed 6 years ago
Reported by email:
Note that this is more severe than even the original reporter realised as this works on the NewPolicy which is a blank policy.
An explanation was provided:
Investigation reveals that strings.ToLower() was not even required, and could be omitted which results in the expected (safe) behaviour.
A change is coming in a moment.
Credit to Yandex and @buglloc for reporting this.