We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
if you are trying
"><img src=a onerror=alert(1)>
and put it in as parameter antiSamy.scan ( parameter, policy, AntiSamy.SAX ).getCleanHTML ();
you will get ><img src=a onerror=alert(1)> and so an alert popping up.... even if img Tags are set to remove.
><img src=a onerror=alert(1)>
The text was updated successfully, but these errors were encountered:
I end up with this output:
""><img src=a onerror=alert(1)>"
Which is safe/expected. Now if you then pass that to another interpreter which decodes it again, then something bad can happen of course.
Can you confirm the encoded values above are what you actually get? And you agree this safe/expected behavior?
Sorry, something went wrong.
@wurtzelsepp As we can't replicate this, we are closing this for now. But please provide additional details if you still think this is an issue.
No branches or pull requests
if you are trying
and put it in as parameter
antiSamy.scan ( parameter, policy, AntiSamy.SAX ).getCleanHTML ();
you will get
><img src=a onerror=alert(1)>
and so an alert popping up.... even if img Tags are set to remove.The text was updated successfully, but these errors were encountered: