search

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
https://github.com/microcosm-cc/bluemonday
BSD 3-Clause "New" or "Revised" License
3.14k stars 176 forks source link

URLs with multiple query parameters escape the `&` delimiter incorrectly #88

Closed platinummonkey closed 5 years ago

platinummonkey commented 5 years ago

Example the following test case exists which tests 1 query parameter

{
    in:       `<a href="?q=1">`,
    expected: `<a href="?q=1" rel="nofollow">`,
},

Add the following test case to produce a failure with more than one query parameter.

{
    in:       `<a href="?q=1&r=2">`,
    expected: `<a href="?q=1&r=2" rel="nofollow">`,
},

the result would be <a href="?q=1&amp;r=2" rel="nofollow"> which breaks the queries