Prevent escaping special characters about bluemonday HOT 8 CLOSED

use html.UnescapeString(s) to free the demon.

from bluemonday.

There is no way to do this.

This sanitization is HTML aware and uses the HTML packages. Those packages always escape HTML chars.

from bluemonday.

Argh, no... it's dangerous if people don't fully understand why not to do this, how the string is going to be used, etc.

The advice to routinely apply html.UnescapeString() would take safe and sanitised input and make it unsafe again in many circumstances.

If you've taken input and all you're doing is using bluemonday to strip everything via the strict policy... and then the final string is going through a non-HTML medium, i.e. plain text portion of email, or as an SMS... then perhaps, perhaps it does make sense in those circumstances to unescape the escaped characters as the environment in which the string is to be used is now one of text/plain rather than text/html.

But if there is any chance of the string being used within HTML, you should never use html.UnescapeString on the output of bluemonday.

I don't want that to be the advice in the docs as in the majority of instances people don't understand the nuance and will just expose themselves to risk again by copy and pasting. In the cases where people do understand the nuance they will find the guidance on the various tickets easily enough.

from bluemonday.

Perhaps this features should be marked in documentation, as sometimes it is unexpected. For example, escapes in Markdown break the syntax.

from bluemonday.

Argh, no... it's dangerous if people don't fully understand why not to do this, how the string is going to be used, etc.

The advice to routinely apply html.UnescapeString() would take safe and sanitised input and make it unsafe again in many circumstances.

If you've taken input and all you're doing is using bluemonday to strip everything via the strict policy... and then the final string is going through a non-HTML medium, i.e. plain text portion of email, or as an SMS... then perhaps, perhaps it does make sense in those circumstances to unescape the escaped characters as the environment in which the string is to be used is now one of text/plain rather than text/html.

But if there is any chance of the string being used within HTML, you should never use html.UnescapeString on the output of bluemonday.

I don't want that to be the advice in the docs as in the majority of instances people don't understand the nuance and will just expose themselves to risk again by copy and pasting. In the cases where people do understand the nuance they will find the guidance on the various tickets easily enough.

Thanks for your reply. After noticing this feature, I then looked at other languages and libraries of sanitization html, and found escaping special characters seems to be common. Yes, security is always the first.

from bluemonday.

But there did existed the requirements to avoid some special characters. Markdown is the very common when dealing with html. It would be better to provide options to configure this.

from bluemonday.

@buro9 How are you using bluemonday together with the html/template package?

The html/template package contextually autoescapes special characters.
When the input is sanitized by bluemonday, stored in the database, and later displayed through the html/template package I get double escaped strings back. This is why I use html.Unescape function after sanitization and before storing data in the database to avoid double escaping. And I am careful to use only the html/template package to generate HTML and the net/url package to build URLs with properly escaped query parameters.

from bluemonday.

That's a good question:
https://github.com/buro9/microcosm/blob/master/web/files/templates/includes/block_comment.html.tmpl#L67

{{ $comment.HTML | safeHTML }}

I have a template func.

Those are defined here: https://github.com/buro9/funcs/blob/master/init.go#L39-L43

And specifically here https://github.com/buro9/funcs/blob/master/safe/safe.go#L25-L33

This avoids double escaping.

from bluemonday.