Comments (8)
use html.UnescapeString(s) to free the demon.
from bluemonday.
There is no way to do this.
This sanitization is HTML aware and uses the HTML packages. Those packages always escape HTML chars.
from bluemonday.
Argh, no... it's dangerous if people don't fully understand why not to do this, how the string is going to be used, etc.
The advice to routinely apply html.UnescapeString()
would take safe and sanitised input and make it unsafe again in many circumstances.
If you've taken input and all you're doing is using bluemonday to strip everything via the strict policy... and then the final string is going through a non-HTML medium, i.e. plain text portion of email, or as an SMS... then perhaps, perhaps it does make sense in those circumstances to unescape the escaped characters as the environment in which the string is to be used is now one of text/plain
rather than text/html
.
But if there is any chance of the string being used within HTML, you should never use html.UnescapeString
on the output of bluemonday.
I don't want that to be the advice in the docs as in the majority of instances people don't understand the nuance and will just expose themselves to risk again by copy and pasting. In the cases where people do understand the nuance they will find the guidance on the various tickets easily enough.
from bluemonday.
Perhaps this features should be marked in documentation, as sometimes it is unexpected. For example, escapes in Markdown break the syntax.
from bluemonday.
Argh, no... it's dangerous if people don't fully understand why not to do this, how the string is going to be used, etc.
The advice to routinely apply
html.UnescapeString()
would take safe and sanitised input and make it unsafe again in many circumstances.If you've taken input and all you're doing is using bluemonday to strip everything via the strict policy... and then the final string is going through a non-HTML medium, i.e. plain text portion of email, or as an SMS... then perhaps, perhaps it does make sense in those circumstances to unescape the escaped characters as the environment in which the string is to be used is now one of
text/plain
rather thantext/html
.But if there is any chance of the string being used within HTML, you should never use
html.UnescapeString
on the output of bluemonday.I don't want that to be the advice in the docs as in the majority of instances people don't understand the nuance and will just expose themselves to risk again by copy and pasting. In the cases where people do understand the nuance they will find the guidance on the various tickets easily enough.
Thanks for your reply. After noticing this feature, I then looked at other languages and libraries of sanitization html, and found escaping special characters seems to be common. Yes, security is always the first.
from bluemonday.
But there did existed the requirements to avoid some special characters. Markdown is the very common when dealing with html. It would be better to provide options to configure this.
from bluemonday.
@buro9 How are you using bluemonday
together with the html/template
package?
The html/template
package contextually autoescapes special characters.
When the input is sanitized by bluemonday
, stored in the database, and later displayed through the html/template
package I get double escaped strings back. This is why I use html.Unescape
function after sanitization and before storing data in the database to avoid double escaping. And I am careful to use only the html/template
package to generate HTML and the net/url
package to build URLs with properly escaped query parameters.
from bluemonday.
That's a good question:
https://github.com/buro9/microcosm/blob/master/web/files/templates/includes/block_comment.html.tmpl#L67
{{ $comment.HTML | safeHTML }}
I have a template func.
Those are defined here: https://github.com/buro9/funcs/blob/master/init.go#L39-L43
And specifically here https://github.com/buro9/funcs/blob/master/safe/safe.go#L25-L33
This avoids double escaping.
from bluemonday.
Related Issues (20)
- Translates string characters to html code HOT 2
- How to disallow emoji? HOT 1
- Go ParseThru vulnerability HOT 2
- Test case not sanitising HOT 1
- Paragraph sanitization (e.g. img.alt) is too restrictive, disallows punctuation
- Sanitize only what is disallowed HOT 1
- Way to skip html escaping code blocks? HOT 1
- Can't allow `<picture>` and `<source>` HOT 1
- Add url prefix for tags such as `a`, `img` and `iframe` HOT 3
- Error when using & and amp in url
- Strip only single attribute HOT 3
- Trailing spaces in style attributes break sanitizing
- Is there a way to allow all URL schemes? HOT 3
- Sanitization removes spacing HOT 1
- How to retain URL? HOT 1
- Option to add spaces HOT 2
- SVG policy HOT 1
- <a> tags in tables not matched correctly HOT 1
- New maintainers for bluemonday in 2024 HOT 1
- Filter multiple class values through whitelist
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bluemonday.