sanitize-html icon indicating copy to clipboard operation
sanitize-html copied to clipboard

Published 20 hours ago verified publisher icon apostrophecms

sanitize-html not acknowledging allowedSchemes options

Open asrv4git opened this issue 4 months ago • 1 comments

sanitize-html not acknowledging allowedSchemes options

To Reproduce

Step-by-step instructions to reproduce the behavior: Use 2.13.1 version of sanitize-html Run below code

var sanitizeHtml = require("sanitize-html");

const ALLOWED_SCHEMES = ['http', 'https'];

const htmlStr = `\'"><meta http-equiv="refresh" content="0;url=file:///etc/passwd" />`;

const cleanedHTML = sanitizeHtml(htmlStr, {
    allowedAttributes: false,
    allowedTags: false,
    allowVulnerableTags: true,
    allowedSchemes: ALLOWED_SCHEMES,
    allowProtocolRelative: false,
    disallowedTagsMode: 'completelyDiscard',
    allowedSchemesByTag: {
        img: [...ALLOWED_SCHEMES, 'data']
    },
});

console.log(cleanedHTML);

Actual behavior

'"&gt;<meta http-equiv="refresh" content="0;url=file:///etc/passwd" />

Expected behavior

'"&gt;<meta http-equiv="refresh" content="0" />

Describe the bug

Even though I have configured to allow only 'http' and 'https' schemes, 'file' scheme is getting allowed in content="0;url=file:///etc/passwd attribute

Details

Version of Node.js: 18 LTS PLEASE NOTE: Only stable LTS versions (10.x and 12.x) are fully supported but we will do our best with newer versions.

Server Operating System: Linux and yes, Docker is involved?

asrv4git avatar Oct 15 '24 08:10 asrv4git