Merge pull request #5 from JuliaComputing/sp/no-svg-math

fix: remove `math` and `svg` content by default

Author: pfitzseb

.github/workflows/CI.yml

@@ -4,31 +4,20 @@ on:
   push:
     branches:
       - master
-    tags: '*'
+    tags: ["*"]
 jobs:
   test:
-    name: Julia ${{ matrix.version }} - ${{ matrix.os }} - ${{ matrix.arch }} - ${{ github.event_name }}
     runs-on: ${{ matrix.os }}
     strategy:
-      fail-fast: false
       matrix:
-        version:
-          - '1.6'
-          - '1.7'
-          - 'nightly'
-        os:
-          - ubuntu-latest
-        arch:
-          - x64
-    env:
-      PYTHON: ""
+        channel: ['1.6', '1.10', '1.12', 'nightly']
+        os: [ubuntu-latest]
     steps:
-      - uses: actions/checkout@v2
-      - uses: julia-actions/setup-julia@v1
+      - uses: actions/checkout@v4
+      - uses: julia-actions/install-juliaup@v2
         with:
-          version: ${{ matrix.version }}
-          arch: ${{ matrix.arch }}
-      - uses: actions/cache@v1
+           channel: ${{matrix.channel}}
+      - uses: actions/cache@v4
         env:
           cache-name: cache-artifacts
         with:
@@ -39,4 +28,4 @@ jobs:
             ${{ runner.os }}-test-
             ${{ runner.os }}-
       - uses: julia-actions/julia-buildpkg@v1
-      - uses: julia-actions/julia-runtest@v1
+      - uses: julia-actions/julia-runtest@v1

README.md

@@ -6,6 +6,10 @@ Whitelist-based HTML sanitizer inspired by [sanitize](https://github.com/rgrove/
 
 HTMLSanitizer.jl parses your source HTML with [Gumbo.jl](https://github.com/JuliaWeb/Gumbo.jl) and then filters tags and attributes according to a whitelist. The default whitelists are fairly close to GitHubs pipeline for rendering markdown to HTML.
 
+> [!WARNING]
+>
+> HTMLSanitizer removes the content of `<math>` and `<svg>` [foreign elements](https://html.spec.whatwg.org/multipage/syntax.html#foreign-elements) by default. Allowing these elements may cause vulnerabilities.
+
 ## Usage
 
 ```

src/HTMLSanitizer.jl

@@ -147,7 +147,7 @@ const WHITELIST = Dict(
         "summary","details","caption","figure","figcaption","abbr","bdo","cite","dfn","mark",
         "small","span","time","wbr","center"
     ],
-    :remove_contents => ["script"],
+    :remove_contents => ["script", "math", "svg"],
     :attributes => Dict(
         "a"          => ["href"],
         "img"        => ["src", "longdesc"],

test/runtests.jl

@@ -124,6 +124,16 @@ using Test
       </details>"""
     @test replace(orig, "\n" => "") == replace(HTMLSanitizer.sanitize(orig), "\n" => "")
   end
+
+  @testset "svg" begin
+    orig = """<svg><style>&lt;/style>&lt;img src onerror=alert(1)>"""
+    @test "" == HTMLSanitizer.sanitize(orig)
+  end
+
+  @testset "math" begin
+    orig = """<math><style>&lt;/style>&lt;img src onerror=alert(1)>"""
+    @test "" == HTMLSanitizer.sanitize(orig)
+  end
 end
 
 @testset "preserve relevant whitespace" begin