bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
BSD 3-Clause "New" or "Revised" License
3.14k
stars
176
forks
source link
fixes URL sanitization with more than one query parameter #89
Closed
platinummonkey closed 5 years ago
This fixes URL sanitization when there are more than one query parameter.
This goes deep into how
token.String()
works -- onhtml.StartTagToken
tokens likea
for example, include linkable attributes (href
for example).Explicitly https://github.com/golang/net/blob/master/html/token.go#L100
token.String()
escapes all&
ampersands regardless of location. Since&
is a valid query parameter delimiter we need to treat this case specifically.fixes #88