search

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
https://github.com/microcosm-cc/bluemonday
BSD 3-Clause "New" or "Revised" License
3.14k stars 176 forks source link

Add address to DefaultElementsWithoutAttrs #69

Closed Mungrel closed 6 years ago

Mungrel commented 6 years ago

The address tag without attributes is safe. And we found in production that it was being stripped despite being present in the AllowElements list.