October 22, 2024
Chicago 12, Melborne City, USA
OiO.lk Blog security sanitize-html not acknowledging allowedSchemes options
security

sanitize-html not acknowledging allowedSchemes options

  • by
  • October 16, 2024
  • 0 Comments
  • Less than a minute
  • 4 Views
  • 6 days ago


var sanitizeHtml = require("sanitize-html");

const ALLOWED_SCHEMES = ['http', 'https'];

const htmlStr="\""><meta http-equiv="refresh" content="0;url=file:///etc/passwd" />';

const cleanedHTML = sanitizeHtml(htmlStr, {
    allowedAttributes: false,
    allowedTags: false,
    allowVulnerableTags: true,
    allowedSchemes: ALLOWED_SCHEMES,
    allowProtocolRelative: false,
    disallowedTagsMode: 'completelyDiscard',
    allowedSchemesByTag: {
        img: [...ALLOWED_SCHEMES, 'data']
    },
});

console.log(cleanedHTML);

Actual behavior

'"&gt;<meta http-equiv="refresh" content="0;url=file:///etc/passwd" />

Expected behavior

'"&gt;<meta http-equiv="refresh" content="0" />

**Description of the issue: **
Even though I have configured to allow only ‘http’ and ‘https’ schemes, ‘file’ scheme is getting allowed in content="0;url=file:///etc/passwd attribute

Details:

Version of Node.js: 18 LTS

2.13.1 version of sanitize-html npm dependency https://www.npmjs.com/package/sanitize-html



You need to sign in to view this answers

Share This Post:

Leave feedback about this

  • Quality
  • Price
  • Service

PROS

+
Add Field

CONS

+
Add Field
Choose Image
Choose Video

Related Post

javascript

Reveal.js does not load in a dynamic SPA view

October 22, 2024
templates

C++ template: access members from source template struct

October 22, 2024
SQL

COUNT with WHERE condition doesn't return all rows

October 22, 2024
CSS

How can I achieve absolute positioning on a flex

October 22, 2024
C++

Create instance of a imported python class with C

October 22, 2024
HTML

Horizontal scroll: sticky element starts moving when scrolling to

October 22, 2024