-
-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Data URI's get sanitized #101
Comments
I think I've found the perpetraitor:
|
@Qqwy can you help me understand why There's a workaround available, which is to wrap the URL in
emits
|
@flavorjones I had presumed that
(Sources: this question on Stackoverflow, RFC2397, Can I Use Data URIs ). So, it seems that it indeed is unsafe to allow all data URIs. What seems like a better option to me, is to allow data URIs that specify one of the following media types, as script execution is impossible in them:
(Did I miss any important ones in above list?) What do you think of this proposal? Using an Also see my example CodePen where I tested out various variations of above stuff. |
Yes, I would. |
@Qqwy @flavorjones Just wondering if this is still being worked on? I see #102 is still closed and doesn't look like it's been updated with the content type restrictions outlined above. I'd really love to see data URIs supported in Loofah! |
I opened #120 since I hadnt seen any code on this yet. |
This was addressed in v2.1.0 and should have been closed then. |
I just posted this issue at the Rails HTML Sanitizer repo, but after testing I realized that it goes wrong inside Loofah itself.
This is the problem:
When I sanitize a HTML string with an image whose src points to a data URI, its src attribute is removed (even when src is whitelisted):
I presume that this happens because of too strict JS-prevention measures (or the data-URI is just discarded because the sanitizer does not understand the
data:
protocol?).I hope this can be fixed.
The text was updated successfully, but these errors were encountered: