-
-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[XSS] Ignore case of blacklisted HTML elements #247
[XSS] Ignore case of blacklisted HTML elements #247
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense, thanks
Need to get CI passing though |
Codecov Report
@@ Coverage Diff @@
## master #247 +/- ##
==========================================
+ Coverage 99.72% 99.72% +<.01%
==========================================
Files 1 1
Lines 363 364 +1
Branches 57 57
==========================================
+ Hits 362 363 +1
Misses 1 1
Continue to review full report at Codecov.
|
1 similar comment
Codecov Report
@@ Coverage Diff @@
## master #247 +/- ##
==========================================
+ Coverage 99.72% 99.72% +<.01%
==========================================
Files 1 1
Lines 363 364 +1
Branches 57 57
==========================================
+ Hits 362 363 +1
Misses 1 1
Continue to review full report at Codecov.
|
@probablyup Sorry, missed that test. Not sure why it only works when I pass the lowercase tag name but should be fixed now. |
Anything else blocking this fix? Snyk recently started flagging for XSS vulnerability. |
Thanks! |
Right now, you can inject
script
andstyle
tags by using uppercase letters, e.g.<SCRIPT>alert('hi')</SCRIPT>
. This PR converts tag names to lowercase before evaluating against the blacklist.