Closed jurajmajor closed 5 years ago
Good catch. Looping over the string sounds like the simplest, safest (if slower) thing to do. Forcing someone to use only well-formed HTML seems fairly burdensome.
I guess in the meantime you could call process()
in a loop to get the same outcome, but this really should be fixed internally, with possibly the option to disable the looping behaviour in the case where you're sure that you already have well formed HTML.
Define
The content of
$t
is safe (even though not well formed) HTML. However, after usingI get the string
<div onmouseover="alert(1);">hover over me</div>
which is definitely not what I would expect asonmouseover
attribute is not whitelisted.Good solution for this can be calling the removal procedure in a loop until the string doesn't change; if this is not possible for some reason, docs should recommend passing well-formed HTML to
HTML::Restrict
(usingHTML::TreeBuilder
could help).