all repos — grayfriday @ e10ba88263489d0358d7bc5fd6f5e153c603a2a3

blackfriday fork with a few changes

Sanitize shouldn't filter out URLs without protocol.
Daniel Imfeld daniel@danielimfeld.com
Fri, 16 May 2014 03:28:44 -0500
commit

e10ba88263489d0358d7bc5fd6f5e153c603a2a3

parent

93aad334f476fe5ecc0db49d91293fce5b4cd279

2 files changed, 4 insertions(+), 2 deletions(-)

jump to
M sanitize.gosanitize.go

@@ -92,7 +92,7 @@ // For whitelisted attributes, if it's an attribute that requires

// protocol checking, do so and strip it if it's not known to be safe. tagProtocolAttrs, ok := protocolAttrs[tagName] if ok && tagProtocolAttrs[attrName] { - if !protocolAllowed(val) { + if !isRelativeLink(val) && !protocolAllowed(val) { continue } }
M sanitize_test.gosanitize_test.go

@@ -80,7 +80,7 @@ "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",

"<p><img></p>\n", `<IMG SRC=# onmouseover="alert('xxs')">`, - "<p><img></p>\n", + "<p><img src=\"#\"></p>\n", `<IMG SRC= onmouseover="alert('xxs')">`, "<p><img></p>\n",

@@ -192,6 +192,8 @@ func TestSanitizeInlineLink(t *testing.T) {

tests := []string{ "[link](javascript:evil)", "<p><a>link</a></p>\n", + "[link](/abc)", + "<p><a href=\"/abc\">link</a></p>\n", } doTestsSanitize(t, tests) }