Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test case not sanitising #157

Open
aaronpcz opened this issue Oct 26, 2022 · 1 comment
Open

Test case not sanitising #157

aaronpcz opened this issue Oct 26, 2022 · 1 comment

Comments

@aaronpcz
Copy link

aaronpcz commented Oct 26, 2022
edited
Loading

I've found a test case that does not sanitize correctly. I've done a preliminary investigation to see if I could contribute a fix, but it doesn't seem like a simple case.

The golang html page is providing the html.Attribute as key="src", val="onmouseover="alert('xxs')"".

{
  in:              `<IMG SRC= onmouseover="alert('xxs')">`,
  expected: ``,
},

Here is the output

        input   : <IMG SRC= onmouseover="alert('xxs')">
        output  : <img src="onmouseover=%22alert%28%27xxs%27%29%22">
        expected:

Happy to try to contribute a fix but I'm a bit short of ideas, I contemplated trying to re-parse attribute values to identify any nested attributes due to this type of input. Not sure how I'd go about re-parsing just attributes, it doesn't seem like it's something supported in the html package?
@aaronpcz
Copy link
Author

I've done a bit more digging, I've just found the func (p *Policy) validURL(rawurl string) (string, bool) method, in here, it is being treated as a relative URL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aaronpcz