kennygrant / sanitize Goto Github PK
View Code? Open in Web Editor NEWPackage sanitize provides functions for sanitizing text in golang strings.
License: BSD 3-Clause "New" or "Revised" License
Package sanitize provides functions for sanitizing text in golang strings.
License: BSD 3-Clause "New" or "Revised" License
<span style="color:#999;font-size:8px;">
<script type="text/javascript">
//something
</script>
</span>
how to remove all of <script>...</script>
?
Path function is dealing correctly with this vector "http://localhost:8080/?file=..\etc/passwd" but when you use "http://localhost:8080/?file=../etc/passwd" the result path will be "/etc/passwd"
Is it correct that when using sanitize.HTML
the HTML like <p>1 < 2</p>
won't be parsed accurately?
This has the makings of a great sanitization library but right now it appears to have some vulnerabilities, based on a quick read-through of the clear and well-written code.
To quote the first cheatsheet: Even if you use an HTML entity encoding method everywhere, you are still most likely vulnerable to XSS. You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.
It might be useful to develop a test suite based on this:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
For example, escaping only <> isn't enough. OWASP used to have a list (as follows), but now even this isn't sufficient.
& -> &
< -> <
> -> >
" -> "
' -> '
/ -> /
\n -> <br>
Also have a look at how https://github.com/microcosm-cc/bluemonday does it.
This is another OWASP cheat sheet that might be valuable:
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md
Go code:
package main
import (
"fmt"
"github.com/kennygrant/sanitize"
)
func main() {
content := `<p>LINE 1<br />
LINE 2<br />
LINE 3</p>`
fmt.Println(sanitize.HTML(content))
}
Will provide:
LINE 1LINE 2LINE 3
New lines are missing. I can fix this by myself, but want to be sure if you'll merge my PR as latest commit is 1 year old.
A couple of defaults I'd like to be able to override:
-
separator: I'd like to use _
package main
import (
"fmt"
"github.com/kennygrant/sanitize"
)
func main() {
input1 := `<iframe></iframe><script>alert('uh oh');</script><p>hello</p>`
input2 := `<iframe /><script>alert('uh oh');</script><p>hello</p>`
allowedTags := []string{"p"}
output1, _ := sanitize.HTMLAllowing(input1, allowedTags)
fmt.Println(output1) // <p>hello</p>
output2, _ := sanitize.HTMLAllowing(input2, allowedTags)
fmt.Println(output2) // <script>alert('uh oh');</script><p>hello</p>
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.