Merge pull request #70 from mprobst/master
fix: Handle all different token types that the parser can emit (d'oh).
This commit is contained in:
commit
aeb569ff46
|
@ -201,6 +201,16 @@ func TestRawHtmlTag(t *testing.T) {
|
|||
"<iframe src=http://ha.ckers.org/scriptlet.html <",
|
||||
// The hyperlink gets linkified, the <iframe> gets escaped
|
||||
"<p><iframe src=<a href=\"http://ha.ckers.org/scriptlet.html\">http://ha.ckers.org/scriptlet.html</a> <</p>\n",
|
||||
|
||||
// Additonal token types: SelfClosing, Comment, DocType.
|
||||
"<br/>",
|
||||
"<p><br></p>\n",
|
||||
|
||||
"<!-- Comment -->",
|
||||
"<!-- Comment -->\n",
|
||||
|
||||
"<!DOCTYPE test>",
|
||||
"<p><!DOCTYPE test></p>\n",
|
||||
}
|
||||
doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT)
|
||||
}
|
||||
|
|
|
@ -64,7 +64,7 @@ func sanitizeHtmlSafe(input []byte) []byte {
|
|||
case html.TextToken:
|
||||
// Text is written escaped.
|
||||
wr.WriteString(tokenizer.Token().String())
|
||||
case html.StartTagToken:
|
||||
case html.SelfClosingTagToken, html.StartTagToken:
|
||||
// HTML tags are escaped unless whitelisted.
|
||||
tag, hasAttributes := tokenizer.TagName()
|
||||
tagName := string(tag)
|
||||
|
@ -105,7 +105,14 @@ func sanitizeHtmlSafe(input []byte) []byte {
|
|||
} else {
|
||||
wr.WriteString(html.EscapeString(string(tokenizer.Raw())))
|
||||
}
|
||||
case html.CommentToken:
|
||||
// Comments are not really expected, but harmless.
|
||||
wr.Write(tokenizer.Raw())
|
||||
case html.DoctypeToken:
|
||||
// Escape DOCTYPES, entities etc can be dangerous
|
||||
wr.WriteString(html.EscapeString(string(tokenizer.Raw())))
|
||||
default:
|
||||
tokenizer.Token()
|
||||
panic(fmt.Errorf("Unexpected token type %v", t))
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue