Issue with style details still being included

yesodweb / haskell-xss-sanitize

prevent XSS attacks by sanitizing html (this is different then escaping!)

Other

20 stars 15 forks source link

Closed parthshah31 closed 2 years ago

parthshah31 commented 2 years ago

sanitizeBalance sometimes still includes the content within the style tag.

Here's a minimum reproducible example that shows the issue:

λ> sanitizeBalance "<!DOCTYPE><html><style>html{width:100%;max-width:100%}</style></html></DOCTYPE>"
"html{width:100%;max-width:100%}"

This should just return "" and a simple example like this works:

λ> sanitizeBalance "<style>html{width:100%}</style>"

parthshah31 commented 2 years ago

Correction, the <style> tag content are never dropped even though it's not listed in the acceptable_elements

snoyberg commented 2 years ago

PR welcome to address this.

parthshah31 commented 2 years ago

Actually fixed. Updated version. Was solved by @tysonzero