Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
github.com/cosban/bluemonday
bluemonday is a HTML sanitizer implemented in Go. It is fast and highly configurable.
bluemonday takes untrusted user generated content as an input, and will return HTML that has been sanitised against a whitelist of approved HTML elements and attributes so that you can safely include the content in your web page.
If you accept user generated content, and your server uses Go, you need bluemonday.
This fork of bluemonday was created in an attempt to make the sanitizing process a little bit more flexible.
Normally with bluemonday, if your user provides you with bad content (bluemonday.UGCPolicy().Sanitize()
) turns this:
Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World
Into a harmless:
Hello World
But what if you are looking for something a little more flexible? I frequently wish there was an option to, instead, turn the code into this:
Hello <style>.XSS{background-image:url("javascript:alert('XSS')");}</style><a class="XSS"></a>World
Which will visually render to the original text on the screen without having to sacrifice the functionality of allowed tags.
But what about invalid attributes within the whitelisted tags? For this, we have opted to simply strip out the attribute and leave the valid parts intact.
This means that if your users try to provide you with this bad content:
<b onclick="alert('XSS')">Hello</b> world!
You will be delighted to see that it is sanitized to a safe
<b>Hello</b> world!
All of the original policies are still available with this fork. The original usage is described in their github page
For WYSIWYG, install in your ${GOPATH}
using go get -u github.com/cosban/bluemonday
Then call it:
package main
import (
"fmt"
"github.com/microcosm-cc/bluemonday"
)
func main() {
p := bluemonday.WYSIWYGPolicy()
html := p.Sanitize(
`<a onblur="alert(secret)" href="http://www.google.com">Google</a>`,
)
// Output:
// <a href="http://www.google.com" rel="nofollow">Google</a>
fmt.Println(html)
}
You are able to use all three of the original methods to sanitize with this addition.
p.Sanitize(string) string
p.SanitizeBytes([]byte) []byte
p.SanitizeReader(io.Reader) bytes.Buffer
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.