search

yesodweb / haskell-xss-sanitize

prevent XSS attacks by sanitizing html (this is different then escaping!)
Other
20 stars 15 forks source link

Script and style tag contents should likely be cleared #21

Closed tysonzero closed 2 years ago

tysonzero commented 2 years ago

Currently sanitizing script and style stags preserves the internal content as escaped html:

sanitize "<script>console.log('foo');</script>"
-- "console.log(&#39;foo&#39;);"

sanitize "<style>* { color: red }</style>"
-- "* { color: red }"

This is of course perfectly safe. However it seems very unlikely to be the desired resulting html.

Accordingly it seems like an explicit clear-list of html tags that should be emptied instead of escaped would be useful, with ["script", "style"] as the default list.

One could reasonably argue that <head> should make the list as well.

snoyberg commented 2 years ago

All of that seems reasonable, PR welcome.