Merge pull request #82 from dimfeld/master Sanitize shouldn't filter out URLs without protocol.
Vytautas Ĺ altenis vytas@rtfb.lt
Fri, 16 May 2014 12:10:22 +0300
2 files changed,
4 insertions(+),
2 deletions(-)
M
sanitize.go
→
sanitize.go
@@ -92,7 +92,7 @@ // For whitelisted attributes, if it's an attribute that requires
// protocol checking, do so and strip it if it's not known to be safe. tagProtocolAttrs, ok := protocolAttrs[tagName] if ok && tagProtocolAttrs[attrName] { - if !protocolAllowed(val) { + if !isRelativeLink(val) && !protocolAllowed(val) { continue } }
M
sanitize_test.go
→
sanitize_test.go
@@ -80,7 +80,7 @@ "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",
"<p><img></p>\n", `<IMG SRC=# onmouseover="alert('xxs')">`, - "<p><img></p>\n", + "<p><img src=\"#\"></p>\n", `<IMG SRC= onmouseover="alert('xxs')">`, "<p><img></p>\n",@@ -192,6 +192,8 @@ func TestSanitizeInlineLink(t *testing.T) {
tests := []string{ "[link](javascript:evil)", "<p><a>link</a></p>\n", + "[link](/abc)", + "<p><a href=\"/abc\">link</a></p>\n", } doTestsSanitize(t, tests) }