Skip to content

Commit

Permalink
Merge pull request #182 from KN4CK3R/fix-schemes
Browse files Browse the repository at this point in the history
Prefer explicit rules over regexp
  • Loading branch information
grafana-dee authored Jul 18, 2023
2 parents 994eb69 + 9e4b236 commit 50149cc
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 7 deletions.
6 changes: 5 additions & 1 deletion policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,11 @@ type Policy struct {
allowURLSchemes map[string][]urlPolicy

// These regexps are used to match allowed URL schemes, for example
// if one would want to allow all URL schemes, they would add `.+`
// if one would want to allow all URL schemes, they would add `.+`.
// However pay attention as this can lead to XSS being rendered thus
// defeating the purpose of using a HTML sanitizer.
// The regexps are only considered if a schema was not explicitly
// handled by `AllowURLSchemes` or `AllowURLSchemeWithCustomPolicy`.
allowURLSchemeRegexps []*regexp.Regexp

// If an element has had all attributes removed as a result of a policy
Expand Down
12 changes: 6 additions & 6 deletions sanitize.go
Original file line number Diff line number Diff line change
Expand Up @@ -970,14 +970,14 @@ func (p *Policy) validURL(rawurl string) (string, bool) {
}

if u.Scheme != "" {
for _, r := range p.allowURLSchemeRegexps {
if r.MatchString(u.Scheme) {
return u.String(), true
}
}

urlPolicies, ok := p.allowURLSchemes[u.Scheme]
if !ok {
for _, r := range p.allowURLSchemeRegexps {
if r.MatchString(u.Scheme) {
return u.String(), true
}
}

return "", false
}

Expand Down
18 changes: 18 additions & 0 deletions sanitize_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4007,4 +4007,22 @@ func TestIssue174(t *testing.T) {
out,
expected)
}

// Custom handling of specific URL schemes even if the regex allows all
p.AllowURLSchemeWithCustomPolicy("javascript", func(*url.URL) bool {
return false
})

input = `<a href="cbthunderlink://somebase64string"></a>
<a href="javascript:alert('test')">xss</a>`
out = p.Sanitize(input)
expected = `<a href="cbthunderlink://somebase64string" rel="nofollow"></a>
xss`
if out != expected {
t.Errorf(
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
input,
out,
expected)
}
}

0 comments on commit 50149cc

Please sign in to comment.