Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verify stripTags filters escaped script tag #24

Merged
merged 2 commits into from Jan 15, 2020
Merged

Conversation

@panzerfahrer
Copy link
Contributor

panzerfahrer commented Jan 14, 2020

This changes stripTags to always escape the body of text node HTML tags.

Previously, stripTags made it possible to inject executable javascript when passing in escaped HTML. The reason for this is golang's HTML Tokenizer, which states:

Data is unescaped for all Tokens (it looks like "a<b" rather than "a&lt;b").

@panzerfahrer panzerfahrer requested review from begner and tessig Jan 14, 2020
@panzerfahrer panzerfahrer force-pushed the striptags-escaped-input branch from fb107cc to 99097ae Jan 14, 2020
@tessig
tessig approved these changes Jan 15, 2020
@panzerfahrer panzerfahrer merged commit 532985b into master Jan 15, 2020
2 checks passed
2 checks passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.