Data URI's get sanitized

Question

Data URI's get sanitized

Qqwy opened this issue 8 years ago · comments

When I sanitize a HTML string with an image whose src points to a data URI, its src attribute is removed (even when src is whitelisted):

unclean_html = "A test
<img src=\"http://placehold.it/400x300\">
<img src='data:image/gif;base64,R0lGODlhAQABAPAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw=='/>"
sanitizer = Rails::Html::WhiteListSanitizer.new
clean_html = sanitizer.sanitize(unclean_html, tags: %w{img}, attributes: %w{src})
clean_html
# => "A test\n    <img src=\"http://placehold.it/400x300\">\n    <img>"

I presume that this happens because of too strict JS-prevention measures (or the data-URI is just discarded because the sanitizer does not understand the protocol?).

Qqwy / Marten · Answer 1 · Fri Feb 19 2016 06:41:18 GMT+0800 (China Standard Time)

After testing this, it seems that the issue is also apparent inside of Loofah, so I think it is not caused by the code in rails-html-sanitizer itself.

I've created an issue at the Loofah repository.

Mike Dalessio · Answer 2 · Fri Mar 04 2016 21:07:48 GMT+0800 (China Standard Time)

This issue should be closed, since we have a conversation going on at flavorjones/loofah#101

Kasper Timm Hansen · Answer 3 · Fri Mar 04 2016 21:34:50 GMT+0800 (China Standard Time)

Thanks folks! I'll close ❤️