posthtml-render icon indicating copy to clipboard operation
posthtml-render copied to clipboard

Published 20 hours ago verified publisher icon posthtml

[fix]: parse obj in attrs

Open voischev opened this issue 9 years ago • 5 comments

input

<button class="button button_theme_alfa-on-white button_view_extra button_size_l button_type_submit button__control i-bem button_js_inited" data-bem="{&quot;button&quot;:{&quot;checkedView&quot;:&quot;extra&quot;}}" role="button" type="submit"><span class="button__text">Войти в интернет</span></button>

output

<button class="button button_theme_alfa-on-white button_view_extra button_size_l button_type_submit button__control i-bem" data-bem="{" button":{"checkedview":"extra"}}"="" role="button" type="submit"><span class="button__text">Войти в интернет</span></button>

voischev avatar Feb 17 '16 17:02 voischev

I can verify this.

ccorcos avatar Jan 02 '18 21:01 ccorcos

If you use v0.2.1 it works. This commit introduced the issue: https://github.com/posthtml/posthtml-parser/commit/7e3248454886e2b9b61594087c92aed5a208be94

ccorcos avatar Jan 02 '18 22:01 ccorcos

v0.2.1

may be v3.1 ?

If you use v0.2.1 it works.

Yes it works but maybe I hurried up. it probably does not need to be parsed but it's only necessary to transform it with the renderer and all this should most likely be options

Scrum avatar Jan 04 '18 12:01 Scrum

Sounds like it needs to not be parsed. It shouldn't be unescaping those quotes and creating invalid html...

ccorcos avatar Jan 04 '18 20:01 ccorcos

Not sure if the same issue, but currently PostHTML transforms HTML like

<img src='1" onload="alert()'>

into

<img src="1" onerror="alert()">

which creates security issues when executed on untrusted HTML.

RReverser avatar Aug 09 '18 12:08 RReverser