sanitize.HTMLAllowing() breaks when encountering a self-closing iframe tag

Question

sanitize.HTMLAllowing() breaks when encountering a self-closing iframe tag

Opened this issue 6 years ago · 2 comments

package main

import (
	"fmt"

	"github.com/kennygrant/sanitize"
)

func main() {
	input1 := `<iframe></iframe><script>alert('uh oh');</script><p>hello</p>`
	input2 := `<iframe /><script>alert('uh oh');</script><p>hello</p>`

	allowedTags := []string{"p"}

	output1, _ := sanitize.HTMLAllowing(input1, allowedTags)
	fmt.Println(output1) // <p>hello</p>

	output2, _ := sanitize.HTMLAllowing(input2, allowedTags)
	fmt.Println(output2) // &lt;script&gt;alert(&#39;uh oh&#39;);&lt;/script&gt;&lt;p&gt;hello&lt;/p&gt;
}

Answer 1 · 2019-05-12T16:49:47.000Z

Thanks. I assume the expected output in both cases is:

<p>hello</p>

Because it should be removing both the iframe and the script tags, but instead doesn't remove them and ends up escaping them instead? So it's over-escaping here and you end up with all the escaped html in output2 rather than just the expected paragraph.

Is that a fair summary?

Answer 2 · 2019-05-13T01:41:06.000Z

Yes, that's exactly right.