Closed akasandra closed 5 years ago
I get this:
<p><a href="https://domain.xss.com/" rel="nofollow">XSS</p><p><strong>I am bold</strong> I am regular</p>
Do you have your code to show? Just the bit where you set up the policy, call it and set the return value.
Mine in totality:
package main
import (
"fmt"
"github.com/microcosm-cc/bluemonday"
)
func main() {
// Define a policy, we are using the UGC policy as a base.
p := bluemonday.UGCPolicy()
s := `<p><a href="https://domain.xss.com/" target="_blank" onblur="alert('XSS2')">XSS<a></p><p><strong>I am bold</strong> I am regular</p>`
// Apply the policy and write to stdout
fmt.Println(p.Sanitize(string(s)))
}
Seems like I checked the wrong version of my own app. Thanks.
I am not sure whether this behavior is intented or not, but if you try to sanitize following string UGCPolicy:
You get a result:
It does add
rel=nofollow
to the link, but it does not strip theonblur
(oronmouseover
) javascript event handlers, resulting in code execution; it does not striptarget
attribute.Looking at the source of
func UGCPolicy()
, I see there is no way to me to fix this behavior. Is this really okay?