-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inline Images get stripped #51
Comments
There is nothing wrong with the policy, but the image data is truncated or incomplete. The data itself is parsed as base64 using https://github.com/microcosm-cc/bluemonday/blob/master/helpers.go#L223-L226 But the input is not valid https://play.golang.org/p/-eq8Xsr8Qy : package main
import (
"encoding/base64"
"fmt"
)
func main() {
s := `R0lGODdhEAAQAMwAAPj7+FmhUYjNfGuxYYDJdYTIeanOpT+DOTuANXi/bGOrWj6CONzv2sPjv2CmV1unU4zPgISg6DJnJ3ImTh8Mtbs00aNP1CZSGy0YqLEn47RgXW8amasW7XWsmmvX2iuXiwAAAAAEAAQAAAFVyAgjmRpnihqGCkpDQPbGkNUOFk6DZqgHCNGg2T4QAQBoIiRSAwBE4VA4FACKgkB5NGReASFZEmxsQ0whPDi9BiACYQAInXhwOUtgCUQoORFCGt/g4QAIQA7`
if _, err := base64.StdEncoding.DecodeString(s); err != nil {
// this one fires
fmt.Println(err.Error())
} else {
fmt.Println("parsed as base64")
}
} Were you to provide a valid base64 input, it would work (following example based on the unit test): package main
import (
"fmt"
"github.com/microcosm-cc/bluemonday"
)
func main() {
p := bluemonday.NewPolicy()
p.AllowImages()
p.AllowDataURIImages()
s := `<img src="data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7">`
// this returns the image
fmt.Printf("'%s'\n", p.Sanitize(s))
} |
@buro9 thanks for you feedback, will check base64 on my side ;) |
@buro9 weird but my html response has an empty image tag: this is my go code:
|
Hmmm, if I take your image example from the linked Go Playground... it works for me. Do you have whitespace or line breaks in your input data URL content? |
but i cant just replace all \n to an empty string |
This is a valid bug... I'll fix it :) Line feeds in data URI attributes in HTML5 are valid, so I should be stripping those out beforehand. |
@buro9 your work is awesome! will recheck when your done. thanks! |
Thanks... do you have a test file btw... with the full input you are using (for this part of the file)... to avoid me copying it from a screenshot :) |
and one with newline: https://gist.github.com/mstaack/599a28114ceecc45e8f5f6d93f7b7d71 |
both should work |
These would still return empty string because But assuming |
yeah you are totally right... will fix that on my side ;) |
In pre-go1.8 there were bugs with encoding issues that we did not encounter if we just rejected URLs that contained whitespace. As whitespace is only valid when data: URLs are used, we will restrict allowing whitespace only to data: scheme URLs
Resolves #51 by permitting spaces in URLs within HTML
* 'master' of github.com:microcosm-cc/bluemonday: (21 commits) Resolves microcosm-cc#51 Adjusted to be safe go pre-go1.8 Resolves microcosm-cc#51 by permitting spaces in URLs within HTML Travis tests go1.1 to go1.9 and tip Rename LICENCE.md to LICENSE.md Add Go1.9 to Travis CI Remove .gitignore. Testing on go1.8 and go1.9rc2 tip Do not vendor dependencies Fixed build conditional for < go1.8 Fixes 42 by using conditional compilation of tests Add center and marquee to whitelist of elements allowed without attributes Issue 37 case tag erroneously was 'javascript' not 'script' Added tip back to travis with allow failures tip is weird sometimes. It's not me, it's you. fmt -s, Makefile cleanup Resolves microcosm-cc#35 Updated to reflect recent changes Add Go1.7 to testing Resolves microcosm-cc#33 Added Gufran to credits ...
Using this content:
and this policy:
i get an empty string back.... whats wrong with my policy?
cheers max
The text was updated successfully, but these errors were encountered: