Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Auto-closing <a/> tags not closed #8

Closed
isaacs opened this Issue · 2 comments

2 participants

Isaac Z. Schlueter Ben Smawfield
Isaac Z. Schlueter

Stuff like this makes problems:

<p><a name="foo"/> This is the foo section.</p>
<p><a name="bar"/> This is the bar section.</p>

Sanitized result:

<p><a name="foo"> This is the foo section.
<p><a name="bar"> This is the bar section.</a></p></a></p>
Isaac Z. Schlueter

Somewhat ugly workaround:

function sanitize(p, urlPolicy) {
  p = p.replace(/<([a-zA-Z]+)([^>]*)\/>/g, '<$1$2></$1>')
  return sanitizer.sanitize(p, urlPolicy)
}

EDIT: Updated, because actually no auto-closed tags are handled properly.

Isaac Z. Schlueter isaacs referenced this issue from a commit in npm/npm-www
Isaac Z. Schlueter isaacs Workaround theSmaw/Caja-HTML-Sanitizer#8 3e2533b
Ben Smawfield
Owner

Awesome. I've brought this fix into 0.1.1:

it('should sanitize auto-closing tags', function() {
    assert.equal('<p><a name="p-foo"></a> This is the foo section.</p><p><a name="p-bar"></a> This is the bar section.</p>', sanitizer.sanitize('<p><a name="foo"/> This is the foo section.</p><p><a name="bar"/> This is the bar section.</p>', uriPolicy, nmTokenPolicy));
});
Jakob Gillich jgillich referenced this issue in TryGhost/Ghost
Open

Investigate XSS filtering #1378

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.