search

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
https://github.com/microcosm-cc/bluemonday
BSD 3-Clause "New" or "Revised" License
3.14k stars 176 forks source link

A tag unnormal output #63

Closed aimuz closed 6 years ago

aimuz commented 6 years ago 
    p := bluemonday.UGCPolicy()
    //p.AllowAttrs("src").Matching(regexp.MustCompile(`(?i)mailto|https?`)).OnElements("img")
    centents := []string{
        `<script>alert(/xss/);</script>;`,
        `<script src="http://xxx.xx/xx.js"></script>`,
        `<body onload=alert('test1')>`,
        `<b onmouseover=alert('Wufff!')>click me</b>;`,
        `<b onmouseover=alert('Wufff!')>click me!</b>`,
        `<a href="http://www.google.com/"><img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/></a>`,
        `<a href="javascript:alert('XSS1')" onmouseover="alert('XSS2')">XSS<a>`,
        `<a href="http://www.google.com/" onmouseover="alert('XSS2')">XSS<a>`,
    }

    for _, v := range centents {
        t.Log(p.Sanitize(v))
    }

<a href="http://www.google.com/" onmouseover="alert('XSS2')">XSS<a> ouput <a href="http://www.google.com/" rel="nofollow">XSS