github_flavored_markdown: Do not filter out data URI scheme images.

See discussion of potential security implications at microcosm-cc/bluemonday#5. The conclusion is that it should be okay, unless there are bugs in client (browsers) code that would open new attack vectors. In the interest of science and moving tech forward, I will stop filtering these out. If you're dealing with untrusted user generated input and feel paranoid, you may want to apply a stricter sanitization policy that applies to your specific scenario on top.
shurcooL · Jul 7, 2014 · f0763e5 · f0763e5
1 parent 18e096f
commit f0763e5
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/github_flavored_markdown/main.go b/github_flavored_markdown/main.go
@@ -49,6 +49,7 @@ func Markdown(text []byte) []byte {
 	p.AllowAttrs("class", "name").Matching(bluemonday.SpaceSeparatedTokens).OnElements("a")
 	p.AllowAttrs("rel").Matching(regexp.MustCompile(`^nofollow$`)).OnElements("a")
 	p.AllowAttrs("aria-hidden").Matching(regexp.MustCompile(`^true$`)).OnElements("a")
+	p.AllowDataURIImages()
 
 	return p.SanitizeBytes(unsanitized)
 }

diff --git a/github_flavored_markdown/sanitize_test.go b/github_flavored_markdown/sanitize_test.go
@@ -69,6 +69,7 @@ index dc83bf7..5260a7d 100644
 	p.AllowAttrs("class", "name").Matching(bluemonday.SpaceSeparatedTokens).OnElements("a")
 	p.AllowAttrs("rel").Matching(regexp.MustCompile(`^nofollow$`)).OnElements("a")
 	p.AllowAttrs("aria-hidden").Matching(regexp.MustCompile(`^true$`)).OnElements("a")
+	p.AllowDataURIImages()
 
 	output := p.SanitizeBytes(unsanitized)