gitlab.com/cosban/bluemonday
bluemonday is a HTML sanitizer implemented in Go. It is fast and highly configurable.
bluemonday takes untrusted user generated content as an input, and will return HTML that has been sanitised against a whitelist of approved HTML elements and attributes so that you can safely include the content in your web page.
If you accept user generated content, and your server uses Go, you need bluemonday.
This fork of bluemonday was created in an attempt to make the sanitizing process a little bit more flexible.
Normally with bluemonday, if your user provides you with bad content (bluemonday.UGCPolicy().Sanitize()) turns this:
Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World
Into a harmless:
Hello World
But what if you are looking for something a little more flexible? I frequently wish there was an option to, instead, turn the code into this:
Hello <style>.XSS{background-image:url("javascript:alert('XSS')");}</style><a class="XSS"></a>World
Which will visually render to the original text on the screen without having to sacrifice the functionality of allowed tags.
But what about invalid attributes within the whitelisted tags? For this, we have opted to simply strip out the attribute and leave the valid parts intact.
This means that if your users try to provide you with this bad content:
<b onclick="alert('XSS')">Hello</b> world!
You will be delighted to see that it is sanitized to a safe
<b>Hello</b> world!
All of the original policies are still available with this fork. The original usage is described in their github page
For WYSIWYG, install in your ${GOPATH} using go get -u github.com/cosban/bluemonday
Then call it:
package main
import (
"fmt"
"github.com/microcosm-cc/bluemonday"
)
func main() {
p := bluemonday.WYSIWYGPolicy()
html := p.Sanitize(
`<a onblur="alert(secret)" href="http://www.google.com">Google</a>`,
)
// Output:
// <a href="http://www.google.com" rel="nofollow">Google</a>
fmt.Println(html)
}
You are able to use all three of the original methods to sanitize with this addition.
p.Sanitize(string) string
p.SanitizeBytes([]byte) []byte
p.SanitizeReader(io.Reader) bytes.Buffer
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.