Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix href sanitization bugs #103

Merged
merged 1 commit into from Aug 13, 2020
Merged

Fix href sanitization bugs #103

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
20 changes: 10 additions & 10 deletions sanitize.go
View file
Open in desktop
Expand Up @@ -133,8 +133,8 @@ func sanitizedUrl(val string) (string, error) {
for k, vals := range queryValues {
sk := html.EscapeString(k)
for _, v := range vals {
sv := escapeUrlComponent(v)
sanitizedQueryValues.Set(sk, sv)
sv := v
sanitizedQueryValues.Add(sk, sv)
}
}
u.RawQuery = sanitizedQueryValues.Encode()
Expand Down Expand Up @@ -390,10 +390,10 @@ func (p *Policy) sanitizeAttrs(
hasStylePolicies = true
}
// no specific element policy found, look for a pattern match
if !hasStylePolicies{
for k, v := range p.elsMatchingAndStyles{
if !hasStylePolicies {
for k, v := range p.elsMatchingAndStyles {
if k.MatchString(elementName) {
if len(v) > 0{
if len(v) > 0 {
hasStylePolicies = true
break
}
Expand Down Expand Up @@ -669,14 +669,14 @@ func (p *Policy) sanitizeAttrs(

func (p *Policy) sanitizeStyles(attr html.Attribute, elementName string) html.Attribute {
sps := p.elsAndStyles[elementName]
if len(sps) == 0{
if len(sps) == 0 {
sps = map[string]stylePolicy{}
// check for any matching elements, if we don't already have a policy found
// if multiple matches are found they will be overwritten, it's best
// to not have overlapping matchers
for regex, policies :=range p.elsMatchingAndStyles{
if regex.MatchString(elementName){
for k, v := range policies{
for regex, policies := range p.elsMatchingAndStyles {
if regex.MatchString(elementName) {
for k, v := range policies {
sps[k] = v
}
}
Expand Down Expand Up @@ -874,7 +874,7 @@ func removeUnicode(value string) string {
return substitutedValue
}

func (p *Policy) matchRegex(elementName string ) (map[string]attrPolicy, bool) {
func (p *Policy) matchRegex(elementName string) (map[string]attrPolicy, bool) {
aps := make(map[string]attrPolicy, 0)
matched := false
for regex, attrs := range p.elsMatchingAndAttrs {
Expand Down
8 changes: 8 additions & 0 deletions sanitize_test.go
View file
Open in desktop
Expand Up @@ -131,6 +131,14 @@ func TestLinks(t *testing.T) {
in: `<a href="?q=1&r=2">`,
expected: `<a href="?q=1&r=2" rel="nofollow">`,
},
{
in: `<a href="?q=1&q=2">`,
expected: `<a href="?q=1&q=2" rel="nofollow">`,
},
{
in: `<a href="?q=%7B%22value%22%3A%22a%22%7D">`,
expected: `<a href="?q=%7B%22value%22%3A%22a%22%7D" rel="nofollow">`,
},
{
in: `<a href="?q=1&r=2&s=:foo@">`,
expected: `<a href="?q=1&r=2&s=%3Afoo%40" rel="nofollow">`,
Expand Down