-
-
Notifications
You must be signed in to change notification settings - Fork 748
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] HTML encoded self closing tags in attribute values leads to the removal of the attribute #761
Comments
Here is another input which leads to removal of the attribute. It seems that the HTML Encoding is not necessary to reproduce the issue. Input
Given output
Expected output
|
Heya, thanks for filing the issue. However, it's not a bug but a protection against an mXSS issue that has been plaguing browsers for a while. Allowing this will cause XSS. You can likely work around that using a hook, but then you'd have to accept the mXSS risk, in case the attribute content is user-controlled. |
I don't know why the whole attribute is removed. Shouldn't it be enough to change the When I'm sanitizing |
The default is of course removal as we offer a sanitizer library, so scrubbing is the way to go 😄 But, you can override that easily with a hook and then do what works in your context. |
Downstream issue affecting Wikipedia: https://phabricator.wikimedia.org/T279215#8525105 Per the inline comment, this appears to be fixing an issue in an old version of jQuery, and previously could be disabled with a flag.
To work around this with a hook would require re-implementing all the transforms and checks that are done to see if the attribute is about to be removed (SAFE_FOR_TEMPLATES, isValidAttribute), unless I have missed something? |
I understand that this is annoying, but I am not sure what should best be done here. We see it like this:
That has me wonder, is this really our bug when our mission is to prevent XSS? :) Not wanting to sound dismissive though, if there is a satisfying solution, we'd be happy to go the extra mile and implement it, but right now I feel we are deadlocked. PRs are super welcome, any other input as well. |
Could we add back in a renamed flag to disable the feature, e.g. ALLOW_SELF_CLOSE_IN_ATTR (default is false)? |
Not a huge fan of the idea but if that saves the day, a PR is welcome 😄 |
For my case I have now added the following hook. But I would prefer @edg2s solution when it is merged.
|
Alright, I added the flag plus test to the 2.x branch. Does that do the trick for you @edg2s ? If so, we will also add this to main, release 3.0.0 and 2.4.4 @AndreVirtimo . |
Hey all, we would like to release but need some confirmation that the change works as expected 😄 Could you confirm it works as expected? @AndreVirtimo @edg2s |
This should be fixed now in all latest releases |
When I use html encoded content in an attribute self closing tags leads to the removal of the whole attribute.
Background & Context
Self closing tags like
<br />
or<img />
are usually converted to single tags (<br>
,<img>
), which is totally fine.Bug
Input
<p data-qtip="<br/>">foo</p>
Given output
<p>foo</p>
Expected output
<p data-qtip="<br>">foo</p>
Working example with single tag
When I'm using single tags, the output is as expected:
Input
<p data-qtip="<br>">foo</p>
Given output
<p data-qtip="<br>">foo</p>
The text was updated successfully, but these errors were encountered: