Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Another case of bad markup identified in Issue#549. Closing tags without having opening tags. Test cases also added. #568

Merged
merged 3 commits into from
Sep 12, 2022
Merged

Another case of bad markup identified in Issue#549. Closing tags without having opening tags. Test cases also added. #568

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cecb22b
Another case of bad markup identified in Issue#549. Closing tags with…
kedarchandrayan Sep 1, 2022
30ff80f
Change log updated for fix for issue #549
kedarchandrayan Sep 1, 2022
e3c22a3
Added new test case for tolerating not closed p tags. This is an impo…
kedarchandrayan Sep 12, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
# Changelog

## Issue #549 fix
- Fixed allowance of disallowed tags with wrong markup of having closing tag without opening tag as reported on [issue #549](https://github.com/apostrophecms/sanitize-html/issues/549).

## 2.7.1 (2022-07-20)

- Protocol-relative URLs are properly supported for script tags. Thanks to [paweljq](https://github.com/paweljq).
Expand Down
8 changes: 8 additions & 0 deletions index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -521,6 +521,14 @@ function sanitizeHtml(html, options, _recursing) {
// Do not crash on bad markup
return;
}

if (frame.tag !== name) {
// Another case of bad markup.
// Push to stack, so that it will be used in future closing tags.
stack.push(frame);
return;
}

skipText = options.enforceHtmlBoundary ? name === 'html' : false;
depth--;
const skip = skipMap[depth];
Expand Down
17 changes: 17 additions & 0 deletions test/test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,23 @@ describe('sanitizeHtml', function() {
it('should preserve entities as such', function() {
assert.equal(sanitizeHtml('<a name="&lt;silly&gt;">&lt;Kapow!&gt;</a>'), '<a name="&lt;silly&gt;">&lt;Kapow!&gt;</a>');
});
it('should dump closing tags which do not have any opening tags.', function() {
assert.equal(sanitizeHtml('<b><div/', {
allowedTags: [ 'b' ]
}), '<b></b>');

assert.equal(sanitizeHtml('<b><b<<div/', {
allowedTags: [ 'b' ]
}), '<b></b>');
});
it('should tolerate not closed p tags', function() {
assert.equal(sanitizeHtml('<div><p>inner text 1<p>inner text 2<p>inner text 3</div>'), '<div><p>inner text 1</p><p>inner text 2</p><p>inner text 3</p></div>');
});
it('should escape not closed p tags, if not in allowedTags array', function() {
assert.equal(sanitizeHtml('<div><p>inner text 1<p>inner text 2<p>inner text 3</div>', {
allowedTags: [ 'div' ]
}), '<div>inner text 1inner text 2inner text 3</div>');
});
it('should dump comments', function() {
assert.equal(sanitizeHtml('<p><!-- Blah blah -->Whee</p>'), '<p>Whee</p>');
});
Expand Down