-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow all body/head/title and only do xss removal #29
Comments
Use the default policy If I was being quick and dirty, that would be where I would consider reading the document as a string and checking the prefix and suffix of the string for the outer HTML tags and then replacing them with nothing. However, that's not recommended as ideally you shouldn't do any processing after the sanitisation has been performed, and in my own code I essentially pre-process input which leads to a consistent structure before sanitisation, and at that point I strip that out and sanitise just the fragment that is the body: https://github.com/microcosm-cc/microcosm/blob/master/models/markdown.go#L80-L88 const htmlCruft = `<html><head></head><body>`
// The treewalking leaves behind a stub root node
if bytes.HasPrefix(src, []byte(htmlCruft)) {
src = src[len([]byte(htmlCruft)):]
}
// Scrub the generated HTML of anything nasty
// NOTE: This *MUST* always be the last thing to avoid introducing a
// security vulnerability
src = SanitiseHTML(src) Where https://github.com/microcosm-cc/microcosm/blob/master/models/sanitise.go#L34-L45 var (
textPolicy = bluemonday.StripTagsPolicy()
htmlPolicy = bluemonday.UGCPolicy()
initHTMLPolicy bool
)
// SanitiseHTML sanitizes HTML
// Leaving a safe set of HTML intact that is not going to pose an XSS risk
func SanitiseHTML(b []byte) []byte {
if !initHTMLPolicy {
htmlPolicy.RequireNoFollowOnLinks(false)
htmlPolicy.RequireNoFollowOnFullyQualifiedLinks(true)
htmlPolicy.AddTargetBlankToFullyQualifiedLinks(true)
initHTMLPolicy = true
}
return htmlPolicy.SanitizeBytes(b)
} Oh, and if you're wondering what my pre-processing was, I linkify all @ and + mentions of other users, which required building and modifying a HTML document and that has a side effect of both balancing the HTML tree as well as to produce a consistent output: https://github.com/microcosm-cc/microcosm/blob/master/models/mentions.go#L55 Answer: with pre-processing and a consistent structure it's very safe and easy to just string process it out before you sanitise, but it is also possible with post-processing though that isn't recommended. |
@buro9 thanks for your help! |
You could encapsulate everything that is a policy as a JSON file and treat that as a configuration to be loaded by a flag, and then construct the policy and execute it against either stdin or a file input. |
can you help me a little? especially how would you map/assign the json vars to a policy right now i am passing two comma separated lists as args.
|
That is not what I would do. The args would be massive. I'd have a single arg, that was the path to a JSON file. The JSON file should be structured such that you can loop through and construct the policy. That's it. |
okay sounds good, will follow that approach. given this html:
how would you allow head/meta ? right now i am trying this, but meta is always removed:
and result:
|
Whats the easiest way to allow all default/basic html tags
especially body/head/title is always removed, even if i allow them.
looking for a quick&dirty xss remover
The text was updated successfully, but these errors were encountered: