kennygrant / sanitize Goto Github PK
View Code? Open in Web Editor NEWPackage sanitize provides functions for sanitizing text in golang strings.
License: BSD 3-Clause "New" or "Revised" License
sanitize's People
Contributors
Stargazers
Watchers
Forkers
andrewzeneski bakanis hotei jaredfolkins netherdrake uraza amauragis tinygrasshopper dutchcoders chrisdambrosio eduncan911 beyang meltwaterarchive mersinvald davidsatimewallin buddhamagnet peterdeka dasnook redsift porjo prateek-forks dealyze thanhedman gen1us2k pawka thedodd wudi invisiblethreat slovyanskiyyehor runivn kristofer tabacco retailify ipaladinllc danzig666 simply-bits triwav etsangsplk alaaattya stefanfransen lucapaterlini beeketing themacies tadaii alexmotz adamgwinn john-itcsolutions quriobot epskampie jiaxinwang bonedaddy robovarga rukykf 5l1v3r1 jeffreims hoffsmh 34 isgasho 13266522010 rodneyswa nj-eka waybackarchiver sparklive vigo albertogviana deluan mmorel-35 startled-cat marcomac01sanitize's Issues
how to remove all of <script>...</script>?
<span style="color:#999;font-size:8px;">
<script type="text/javascript">
//something
</script>
</span>how to remove all of <script>...</script>?
Path function
Path function is dealing correctly with this vector "http://localhost:8080/?file=..\etc/passwd" but when you use "http://localhost:8080/?file=../etc/passwd" the result path will be "/etc/passwd"
lt, gt chars parsing inside a tag
Is it correct that when using sanitize.HTML the HTML like <p>1 < 2</p> won't be parsed accurately?
Sanitize doesn't adequately protect HTML
This has the makings of a great sanitization library but right now it appears to have some vulnerabilities, based on a quick read-through of the clear and well-written code.
To quote the first cheatsheet: Even if you use an HTML entity encoding method everywhere, you are still most likely vulnerable to XSS. You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.
It might be useful to develop a test suite based on this:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
For example, escaping only <> isn't enough. OWASP used to have a list (as follows), but now even this isn't sufficient.
& -> &
< -> <
> -> >
" -> "
' -> '
/ -> /
\n -> <br>
Also have a look at how https://github.com/microcosm-cc/bluemonday does it.
This is another OWASP cheat sheet that might be valuable:
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md
Multiple lines are joined after sanitizing.
Go code:
package main
import (
"fmt"
"github.com/kennygrant/sanitize"
)
func main() {
content := `<p>LINE 1<br />
LINE 2<br />
LINE 3</p>`
fmt.Println(sanitize.HTML(content))
}
Will provide:
LINE 1LINE 2LINE 3
New lines are missing. I can fix this by myself, but want to be sure if you'll merge my PR as latest commit is 1 year old.
override defaults
A couple of defaults I'd like to be able to override:
- lower case strings: I'd like to preserve mixed case
- use of
-separator: I'd like to use_
sanitize.HTMLAllowing() breaks when encountering a self-closing iframe tag
package main
import (
"fmt"
"github.com/kennygrant/sanitize"
)
func main() {
input1 := `<iframe></iframe><script>alert('uh oh');</script><p>hello</p>`
input2 := `<iframe /><script>alert('uh oh');</script><p>hello</p>`
allowedTags := []string{"p"}
output1, _ := sanitize.HTMLAllowing(input1, allowedTags)
fmt.Println(output1) // <p>hello</p>
output2, _ := sanitize.HTMLAllowing(input2, allowedTags)
fmt.Println(output2) // <script>alert('uh oh');</script><p>hello</p>
}Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.