all repos — grayfriday @ 55d8f72ddede11ea2eed7abe74a218a43444992b

blackfriday fork with a few changes

feat: Write self-closing tags with a />

Adds tests for self-closing tags both for correct writing and for correct
sanitization, i.e. stripping attributes on them.
Martin Probst martin@probst.io
Sat, 03 May 2014 12:58:25 +0200
commit

55d8f72ddede11ea2eed7abe74a218a43444992b

parent

50b8e0370b6d767a2df828f8a3481a6a443fdb61

2 files changed, 21 insertions(+), 5 deletions(-)

jump to
M inline_test.goinline_test.go

@@ -204,16 +204,13 @@ "<p>&lt;iframe src=<a href=\"http://ha.ckers.org/scriptlet.html\">http://ha.ckers.org/scriptlet.html</a> &lt;</p>\n",

// Additonal token types: SelfClosing, Comment, DocType. "<br/>", - "<p><br></p>\n", + "<p><br/></p>\n", "<!-- Comment -->", "<!-- Comment -->\n", "<!DOCTYPE test>", "<p>&lt;!DOCTYPE test&gt;</p>\n", - - "<hr>", - "<hr>\n", } doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT) }

@@ -225,6 +222,21 @@ "<p>Here are some &#34;quotes&#34;.</p>\n",

"<p>Here are some &ldquo;quotes&rdquo;.</p>\n", "<p>Here are some \u201Cquotes\u201D.</p>\n", + } + doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT) +} + +func TestSanitizeSelfClosingTag(t *testing.T) { + tests := []string{ + "<hr>\n", + "<hr>\n", + + "<hr/>\n", + "<hr/>\n", + + // Make sure that evil attributes are stripped for self closing tags. + "<hr onclick=\"evil()\"/>\n", + "<hr/>\n", } doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT) }
M sanitize.gosanitize.go

@@ -103,7 +103,11 @@ wr.WriteString(html.EscapeString(string(val)))

wr.WriteByte('"') } } - wr.WriteString(">") + if t == html.SelfClosingTagToken { + wr.WriteString("/>") + } else { + wr.WriteString(">") + } } else { wr.WriteString(html.EscapeString(string(tokenizer.Raw()))) }