Encode stripped html special chars

chenraz · Oct 1, 2021 · da02e9d · da02e9d
1 parent f865d63
commit da02e9d
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 3 deletions.
diff --git a/compose/service/values/sanitizer.go b/compose/service/values/sanitizer.go
@@ -2,6 +2,7 @@ package values
 
 import (
 	"fmt"
+	"html"
 	"regexp"
 	"strconv"
 	"strings"
@@ -293,8 +294,14 @@ func sString(str string) string {
 	// match only colors for html editor elements on style attr
 	p.AllowAttrs("style").OnElements("span", "p")
 	p.AllowStyles("color").Matching(regexp.MustCompile("(?i)^#([0-9a-f]{3,4}|[0-9a-f]{6}|[0-9a-f]{8})$")).Globally()
+	p.AllowStyles("background-color").Matching(regexp.MustCompile("(?i)^#([0-9a-f]{3,4}|[0-9a-f]{6}|[0-9a-f]{8})$")).Globally()
 
-	return p.Sanitize(str)
+	sanitized := p.Sanitize(str)
+
+	// handle escaped strings and unescape them
+	// all the dangerous chars should have been stripped
+	// by now
+	return html.UnescapeString(sanitized)
 }
 
 // sanitize casts value to field kind format

diff --git a/compose/service/values/sanitizer_test.go b/compose/service/values/sanitizer_test.go
@@ -187,7 +187,14 @@ func Test_sanitizer_Run(t *testing.T) {
 			kind:    "String",
 			options: map[string]interface{}{},
 			input:   `<script>document.write("<scri");</script>pt src="https://cortezaproject.org/script.js"></script>`,
-			output:  "pt src=&#34;https://cortezaproject.org/script.js&#34;&gt;",
+			output:  `pt src="https://cortezaproject.org/script.js">`,
+		},
+		{
+			name:    "string escaping; inline styles unchanged",
+			kind:    "String",
+			options: map[string]interface{}{},
+			input:   `<span style="background-color: #00ff00"><span style="color: #4a86e8">nasty looking content</span></span>`,
+			output:  `<span style="background-color: #00ff00"><span style="color: #4a86e8">nasty looking content</span></span>`,
 		},
 		{
 			name:    "string escaping; script with a",
@@ -299,7 +306,7 @@ func Test_sanitizer_Run(t *testing.T) {
 			kind:    "String",
 			options: map[string]interface{}{},
 			input:   `'';!--"<XSS>=&{()}`,
-			output:  "&#39;&#39;;!--&#34;=&amp;{()}",
+			output:  `'';!--"=&{()}`,
 		},
 		{
 			name:    "string escaping; xss element",
@@ -315,6 +322,13 @@ func Test_sanitizer_Run(t *testing.T) {
 			input:   `<tag1>cor<tag2></tag2>teza</tag1><tag1>server</tag1><tag2>123</tag2>`,
 			output:  "cortezaserver123",
 		},
+		{
+			name:    "string escaping; preserve necessary chars",
+			kind:    "String",
+			options: map[string]interface{}{},
+			input:   `a < b ; "'"`,
+			output:  `a < b ; "'"`,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {