You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What is this feature about (expected vs actual behaviour)?
When HTML is sent as part of a JSON request, xss_clean has some issues with quotations. Specifically having issues with anchor tag attributes being stripped away with the _filter_attributes function when HTML is nested and there are double-escaped quotations.
e.g. => A JSON string like "{\"text\": \"<a href=\\\"https://google.com\\\">Google</a>\"}" returns as {\"text\": \"<a >Google</a>\"}"
Any additional information?
I think this could possibly be solved by updating the regex on line 995 in _filter_attributes to include \" as a potential attribute quote.
Maybe by updating the capture group to ("|'|\") as follows '#\s*[\p{L}\d_\-\[\]]+\s*=\s*("|\'|\\")(?:[^\1]*?)\\1#u'
The text was updated successfully, but these errors were encountered:
What is this feature about (expected vs actual behaviour)?
When HTML is sent as part of a JSON request, xss_clean has some issues with quotations. Specifically having issues with anchor tag attributes being stripped away with the _filter_attributes function when HTML is nested and there are double-escaped quotations.
e.g. => A JSON string like
"{\"text\": \"<a href=\\\"https://google.com\\\">Google</a>\"}"returns as{\"text\": \"<a >Google</a>\"}"Any additional information?
I think this could possibly be solved by updating the regex on line 995 in _filter_attributes to include
\"as a potential attribute quote.Maybe by updating the capture group to ("|'|\") as follows
'#\s*[\p{L}\d_\-\[\]]+\s*=\s*("|\'|\\")(?:[^\1]*?)\\1#u'The text was updated successfully, but these errors were encountered: