Skip to content

Commit

Permalink
Resolves #51 by permitting spaces in URLs within HTML
Browse files Browse the repository at this point in the history
It turns out that line feeds and white space within URLs within HTML is valid.
The HTML rules are that a URL is a valid URL if when trimmed of whitespace it
is a valid URL, or if whitespace is not considered it is a valid URL. Browsers
are fine with this, and the bluemonday behaviour of treating URLs as not being
part of HTML was incorrect in that we would reject URLs that had whitespace.

By permitting whitespace, we fix a known bug wherein linefeeds within data-uri
values would not be considered valid.
  • Loading branch information
David Kitchen committed Dec 18, 2017
1 parent 68fecae commit 6f47c42
Show file tree
Hide file tree
Showing 2 changed files with 172 additions and 8 deletions.
9 changes: 1 addition & 8 deletions sanitize.go
Original file line number Diff line number Diff line change
Expand Up @@ -490,14 +490,7 @@ func (p *Policy) allowNoAttrs(elementName string) bool {

func (p *Policy) validURL(rawurl string) (string, bool) {
if p.requireParseableURLs {
// URLs do not contain whitespace
if strings.Contains(rawurl, " ") ||
strings.Contains(rawurl, "\t") ||
strings.Contains(rawurl, "\n") {
return "", false
}

u, err := url.Parse(rawurl)
u, err := url.Parse(strings.TrimSpace(rawurl))
if err != nil {
return "", false
}
Expand Down
Loading

0 comments on commit 6f47c42

Please sign in to comment.