Skip to content

Commit

Permalink
Fix RequireCrossOriginAnonymous when crossorigin attr is allowed
Browse files Browse the repository at this point in the history
Caught by
https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/unusedwrite
which is on by default in gopls but apparently nowhere else.
  • Loading branch information
FiloSottile committed Jul 4, 2024
1 parent 37251d9 commit e602a4a
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 2 deletions.
4 changes: 2 additions & 2 deletions sanitize.go
Original file line number Diff line number Diff line change
Expand Up @@ -762,10 +762,10 @@ attrsLoop:
switch elementName {
case "audio", "img", "link", "script", "video":
var crossOriginFound bool
for _, htmlAttr := range cleanAttrs {
for i, htmlAttr := range cleanAttrs {
if htmlAttr.Key == "crossorigin" {
crossOriginFound = true
htmlAttr.Val = "anonymous"
cleanAttrs[i].Val = "anonymous"
}
}

Expand Down
14 changes: 14 additions & 0 deletions sanitize_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3695,6 +3695,10 @@ func TestIssue107(t *testing.T) {
p := UGCPolicy()
p.RequireCrossOriginAnonymous(true)

p1 := UGCPolicy()
p1.RequireCrossOriginAnonymous(true)
p1.AllowAttrs("crossorigin").Globally()

tests := []test{
{
in: `<img src="/path" />`,
Expand Down Expand Up @@ -3726,6 +3730,16 @@ func TestIssue107(t *testing.T) {
tt.expected,
)
}
out = p1.Sanitize(tt.in)
if out != tt.expected {
t.Errorf(
"test %d failed with policy p1;\ninput : %s\noutput : %s\nexpected: %s",
ii,
tt.in,
out,
tt.expected,
)
}
wg.Done()
}(ii, tt)
}
Expand Down

0 comments on commit e602a4a

Please sign in to comment.