search

yesodweb / haskell-xss-sanitize

prevent XSS attacks by sanitizing html (this is different then escaping!)
Other
20 stars 15 forks source link

Export clearTags and explain safeTags is not enough #25

Open Skyfold opened 2 years ago

Skyfold commented 2 years ago

From the documentation:

You can insert your own custom filtering, but make sure you compose your filtering function with [safeTags] or [safeTagsCustom]

Really this should say:

You can insert your own custom filtering, but make sure you compose your filtering function with (safeTags . clearTags) or (safeTagsCustom . clearTagsCustom)

The problem is, without applying clearTags first, the input may not be sanitized:

Prelude Text.HTML.SanitizeXSS> filterTags safeTags "<iframe></iframe>"
""
Prelude Text.HTML.SanitizeXSS> filterTags safeTags "<script><iframe></iframe>"
"<iframe></iframe>"

This isn't an issue with sanitizeXSS because it composes safeTags with clearTags.

Prelude Text.HTML.SanitizeXSS> sanitizeXSS "<script><iframe></iframe>"
""

I'm happy to make a pull request to fix this.

snoyberg commented 2 years ago

Sure, a PR would be great.