Analyze FilterHTMLTags function for improvements

Author: JoannaaKL

pkg/sanitize/sanitize.go

@@ -1,10 +1,13 @@
 package sanitize
 
 import (
-	"github.com/microcosm-cc/bluemonday"
+    "sync"
+
+    "github.com/microcosm-cc/bluemonday"
 )
 
 var policy *bluemonday.Policy
+var policyOnce sync.Once
 
 func Sanitize(input string) string {
 	return FilterHTMLTags(FilterInvisibleCharacters(input))
@@ -31,24 +34,44 @@ func FilterInvisibleCharacters(input string) string {
 }
 
 func FilterHTMLTags(input string) string {
-	if policy == nil {
-		policyInit()
-	}
+    if policy == nil {
+        policyInit()
+    }
 	if input == "" {
 		return input
 	}
 	return policy.Sanitize(input)
 }
 
 func policyInit() {
-	if policy != nil {
-		return
-	}
-	policy = bluemonday.StrictPolicy()
-	policy.AllowElements("b", "blockquote", "br", "code", "em", "h1", "h2", "h3", "h4", "h5", "h6", "hr", "i", "li", "ol", "p", "pre", "strong", "sub", "sup", "table", "tbody", "td", "th", "thead", "tr", "ul")
-	policy.AllowAttrs("img", "a")
-	policy.AllowURLSchemes("https")
-	policy.AllowImages()
+    policyOnce.Do(func() {
+        p := bluemonday.StrictPolicy()
+
+        // Safe textual/formatting elements only
+        p.AllowElements(
+            "b", "blockquote", "br", "code", "em",
+            "h1", "h2", "h3", "h4", "h5", "h6",
+            "hr", "i", "li", "ol", "p", "pre",
+            "strong", "sub", "sup", "table", "tbody",
+            "td", "th", "thead", "tr", "ul",
+            // Explicitly allow anchors and images with constrained attributes
+            "a", "img",
+        )
+
+        // Links: only allow https href and require parseable URLs
+        p.AllowAttrs("href").OnElements("a")
+        p.AllowURLSchemes("https")
+        p.RequireParseableURLs(true)
+        p.RequireNoFollowOnLinks()
+        p.RequireNoReferrerOnLinks()
+        p.AddTargetBlankToFullyQualifiedLinks()
+
+        // Images: allow only https src and basic descriptive attributes
+        p.AllowImages()
+        p.AllowAttrs("src", "alt", "title").OnElements("img")
+
+        policy = p
+    })
 }
 
 func shouldRemoveRune(r rune) bool {

pkg/sanitize/sanitize_test.go

@@ -1,5 +1,82 @@
 package sanitize
 
+import "testing"
+
+func TestFilterHTMLTags(t *testing.T) {
+    tests := []struct {
+        name     string
+        in       string
+        expected string
+    }{
+        {
+            name:     "anchor https allowed",
+            in:       `<a href="https://good.com">ok</a>`,
+            expected: `<a href="https://good.com">ok</a>`,
+        },
+        {
+            name:     "anchor javascript stripped href",
+            in:       `<a href="javascript:alert(1)">bad</a>`,
+            expected: `<a>bad</a>`,
+        },
+        {
+            name:     "anchor protocol-relative href removed",
+            in:       `<a href="//example.com">text</a>`,
+            expected: `<a>text</a>`,
+        },
+        {
+            name:     "anchor relative href removed",
+            in:       `<a href="/path">rel</a>`,
+            expected: `<a>rel</a>`,
+        },
+        {
+            name:     "image https allowed",
+            in:       `<img src="https://img.example/x.png" alt="x" title="y">`,
+            expected: `<img src="https://img.example/x.png" alt="x" title="y">`,
+        },
+        {
+            name:     "image data uri src removed",
+            in:       `<img src="data:image/svg+xml,xxx" alt="x">`,
+            expected: `<img alt="x">`,
+        },
+        {
+            name:     "image srcset removed",
+            in:       `<img src="https://a/x.png" srcset="https://a 1x, https://b 2x" alt="x">`,
+            expected: `<img src="https://a/x.png" alt="x">`,
+        },
+        {
+            name:     "onclick removed",
+            in:       `<p onclick="alert(1)">text</p>`,
+            expected: `<p>text</p>`,
+        },
+        {
+            name:     "script removed",
+            in:       `<script>alert(1)</script>ok`,
+            expected: `ok`,
+        },
+        {
+            name:     "iframe removed",
+            in:       `<iframe src="https://example.com"></iframe>ok`,
+            expected: `ok`,
+        },
+        {
+            name:     "style attribute removed",
+            in:       `<p style="color:red">x</p>`,
+            expected: `<p>x</p>`,
+        },
+    }
+
+    for _, tt := range tests {
+        t.Run(tt.name, func(t *testing.T) {
+            got := FilterHTMLTags(tt.in)
+            if got != tt.expected {
+                t.Fatalf("unexpected sanitize result.\ninput:    %q\nexpected: %q\nactual:   %q", tt.in, tt.expected, got)
+            }
+        })
+    }
+}
+
+package sanitize
+
 import (
 	"testing"