bluemonday icon indicating copy to clipboard operation
bluemonday copied to clipboard

Published 20 hours ago verified publisher icon microcosm-cc

Sanitization of character entities are replacing for blank spaces

Open heltonrlustosa opened this issue 5 years ago • 4 comments

Hey. We are using bluemonday library in a new project and in some cases i need to save the string with characthers entities(&nbsp, &lt, &gt...). But, after sanitize some exemples we realise that the output don't have a non-breaking space enitity, for exemple.

Code exemple:

package main

import (
	"fmt"
	"github.com/microcosm-cc/bluemonday"
)

func main() {
	p := bluemonday.UGCPolicy()

	p.AllowStyling()
	p.AllowAttrs("style").Globally()
	p.AllowStandardAttributes()

	result := p.Sanitize(
		`<p>I am normal</p>&nbsp<p style="color:red;">After space</p>&nbsp<p style="font-size:50px;">I am big</p>`,
	)

	fmt.Println(result)
	// Output:
	// <p>I am normal</p> <p style="color:red;">After space</p> <p style="font-size:50px;">I am big</p>
}

Do I forgot to add any policy?

Thank you.

heltonrlustosa avatar Nov 21 '19 19:11 heltonrlustosa

I do not understand the scenario.

Are you saying that a blank space between paragraphs should be converted to a non-breaking space character?

And I do not see in the example anything that demonstrates an issue with &lt; and &gt;.

If all you seek to do is fully escape a string for presentation as HTML then does https://golang.org/pkg/html/#EscapeString not do this?

grafana-dee avatar Nov 22 '19 08:11 grafana-dee

Sorry, I sent you an incorrect example. My problem is with a escaped string that contains "&nbsp", in that case sanitize is removing then.

I will edit the description and put a correct exemple.

Thank you.

heltonrlustosa avatar Nov 22 '19 14:11 heltonrlustosa

I think... that it's fine, but that the console and text things display it weird.

Nothing in my code explicitly touches a &nbsp; and I see the net/html package escapes &nbsp; as \u00a0 (unicode non-break space).

I've looked at the output of the example you've provided and initially it looks like they are converted to whitespace. But look closer, put the output into a good text editor and look at the whitespace (or select all whitespace that matches that in I am) and you'll see that the &nbsp; isn't actually a space character. If you inspect it, you'll see it is a unicode non-break space.

So bluemonday is doing precisely what the net/html package believes is the best way to do this.

grafana-dee avatar Nov 25 '19 13:11 grafana-dee

@heltonrlustosa you should use Golang's %q verb in fmt.Printf function if you wish to see &nbsp; and other "hidden" characters (runes).

fmt.Printf("%q\n", result)
// "<p>I am normal</p>\u00a0<p style=\"color:red;\">After space</p>\u00a0<p style=\"font-size:50px;\">I am big</p>"

\u00a0 == &nbsp;, therefore, bluemonday works as intended, and your implementation does what you wanted it to do.

Read more at fmt package: fmt package

You should close this issue.

Delicious-Bacon avatar May 21 '23 10:05 Delicious-Bacon