Comments (10)
Based on your previous response, would this be reasonable?
• Run the original input through bluemonday
• Run the result of this through html.UnescapeString()
• Save this result in the database
• Later, when I want to display the saved value, run the value through html.EscapeString
before sending it to the output buffer.
from bluemonday.
Ah, OK.
What I do:
- Save the original input
- Generate HTML sanitized version server side
- If viewing the value, then the HTML sanitized version is presented
- If editing the value, then the original input is presented
The goal is to never render the original input as HTML within a page, but it can still be rendered as plain text... i.e. within a text input box.
from bluemonday.
That would work too.
I prefer to store original and allow users to edit that as it's less surprising. But this is UX rather than security and what you've described also works fine.
from bluemonday.
I still don't get this. Say a user named Jim O'Hare
fills in a form on my site and submits it. If I escape the input (using bluemonday or Go functions), the apostrophe becomes '
and that's what the user sees next time, which is not right. If I don't escape user inputs then I'm open to XSS attacks. What am I missing?
from bluemonday.
that data will be saved in a database eventually and redisplayed later.
How are you planning to display it later?
It sounds like what you’re looking for is an HTML to text renderer. Then you could use that on output of bluemonday.
from bluemonday.
The html
package contains html.UnescapeString()
: https://golang.org/pkg/html/#UnescapeString
Whilst bluemonday is a HTML sanitizer and expects to take input that is HTML to then be displayed as HTML (and as such escaping HTML entities is correct and part of the underlying core package)... it is possible for you to simply take the output of bluemonday.Sanitize()
and run that through html.UnescapeString
to convert HTML entities back to plain text.
However, a warning... if you do this and then display the output as HTML, then you've provided the means for someone who can deduce that this behaviour exists to then craft a payload that relies on being unescaped such that the output does contain malicious code that wasn't present in the original input. i.e. providing HTML entities makes <script>
safe from the perspective of the sanitizer as it would never render a script tag, but once you run the output through html.UnescapeString()
you would have created <script>
, which if now displayed as HTML would result in an XSS or worse.
The tools already exist to do what has been asked, but I still would not recommend using them unless you are in full control of how the resulting string will be used. This is why bluemonday carries the warning that it must be the last thing to process the content :)
from bluemonday.
You are double-escaping.
Escaping HTML entities is an integral part of sanitising input, but if you've escaped there then escaping again in the presentation layer of your website results in the escaped entities being escaped again.
Either you unescape post-sanitization, or you don't escape a second time. Either option exists for you with the latter being the safest.
from bluemonday.
Thanks, but I'm escaping only once, and only during presentation:
- The user enters
O'Hare
in the surname textbox during signup - I save this as is to the database (I'm using a NoSQL DB, so SQL injections are not an issue)
- When the user later views his account page, I escape before displaying the surname in a text box so that O'Hare becomes
O'Hare
from bluemonday.
I'm doing this (call me crazy)
func (i *InputSanitizer) Sanitize(str string) string {
p := bluemonday.StrictPolicy()
p.AllowStandardURLs()
// sanitizing twice to allow apostrophes, and at the same time,
// to avoid entries like <script> from becoming <script>
// some discussions:
// https://github.com/microcosm-cc/bluemonday/issues/28
// https://github.com/microcosm-cc/bluemonday/issues/74
sanitized := p.Sanitize(str)
unescaped := html.UnescapeString(sanitized)
sanitized = p.Sanitize(unescaped)
return html.UnescapeString(sanitized)
}
from bluemonday.
@leodip looks good at first, but if you encode xss two times at the end your string will be with exploit.
from bluemonday.
Related Issues (20)
- Translates string characters to html code HOT 2
- How to disallow emoji? HOT 1
- Go ParseThru vulnerability HOT 2
- Test case not sanitising HOT 1
- Paragraph sanitization (e.g. img.alt) is too restrictive, disallows punctuation
- Sanitize only what is disallowed HOT 1
- Way to skip html escaping code blocks? HOT 1
- Can't allow `<picture>` and `<source>` HOT 1
- Add url prefix for tags such as `a`, `img` and `iframe` HOT 3
- Error when using & and amp in url
- Strip only single attribute HOT 3
- Trailing spaces in style attributes break sanitizing
- Is there a way to allow all URL schemes? HOT 3
- Sanitization removes spacing HOT 1
- How to retain URL? HOT 1
- Option to add spaces HOT 2
- SVG policy HOT 1
- <a> tags in tables not matched correctly HOT 1
- New maintainers for bluemonday in 2024 HOT 1
- Filter multiple class values through whitelist
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bluemonday.