-
Notifications
You must be signed in to change notification settings - Fork 355
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
{allowedTags:null} allows <script> #176
Comments
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Hello @boutell, Should I pick this up? This seems to be an issue as Also, @mikesamuel has given a very good example in which such mistakes can occur, if a function like Please let me know your opinion. I will raise a PR if you want. Thanks, |
Feel free. Sounds like there's a good reason for a runtime check on this. |
Hello @boutell, I have raised the PR as per the discussion. Also added new test cases for covering the expected behavior. Please let me know your comments. Thanks, |
The docs say
The internal check checks whether
allowedTags
is falsey, not false.Treating
null
equivalently to false is problematic sincenull
ismuch more likely as an output from a function that otherwise
returns an array than
false
, so treatingnull
andundefined
as equivalent to
false
is a corner-case with very serious security consequences.For example,
Since the behavior for
undefined
andnull
,0
,NaN
,""
and other falsey values is not documented, I recommend eitherfalse
:allowedAttributes
.The text was updated successfully, but these errors were encountered: