Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid SafeScripting purification for non-empty <script> tag #212

xemlock opened this Issue Apr 10, 2019 · 0 comments


None yet
1 participant
Copy link

xemlock commented Apr 10, 2019

Consider the following script:


require './vendor/autoload.php';

$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.SafeScripting', array('https://localhost/foo.js'));

$purifier = new HTMLPurifier($config);
echo $purifier->purify('<script type="text/javascript" src="https://localhost/bar.js">FOO</script>');

The whole <script> tag, together with its text content, should be removed as invalid - because src attribute isn't included on the whitelist.

Instead <script> contents are inserted as-is, resulting in the following output:


AFAIK self-closing <script> tags are not supported by browsers, so I guess HTMLPurifier should behave similarly, at least in HTML mode (i.e. non-XHTML).

Tested with HTMLPurifier 4.10.0, 4.9.3, 4.8.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.