From e602a4a6fe37663ebe14c23c421d3c9792508e54 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <hi@filippo.io>
Date: Thu, 4 Jul 2024 14:48:08 +0200
Subject: [PATCH] Fix RequireCrossOriginAnonymous when crossorigin attr is
 allowed

Caught by
https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/unusedwrite
which is on by default in gopls but apparently nowhere else.
---
 sanitize.go      |  4 ++--
 sanitize_test.go | 14 ++++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/sanitize.go b/sanitize.go
index c1c070e..af942a4 100644
--- a/sanitize.go
+++ b/sanitize.go
@@ -762,10 +762,10 @@ attrsLoop:
 		switch elementName {
 		case "audio", "img", "link", "script", "video":
 			var crossOriginFound bool
-			for _, htmlAttr := range cleanAttrs {
+			for i, htmlAttr := range cleanAttrs {
 				if htmlAttr.Key == "crossorigin" {
 					crossOriginFound = true
-					htmlAttr.Val = "anonymous"
+					cleanAttrs[i].Val = "anonymous"
 				}
 			}
 
diff --git a/sanitize_test.go b/sanitize_test.go
index 8e4a6d7..5f06495 100644
--- a/sanitize_test.go
+++ b/sanitize_test.go
@@ -3695,6 +3695,10 @@ func TestIssue107(t *testing.T) {
 	p := UGCPolicy()
 	p.RequireCrossOriginAnonymous(true)
 
+	p1 := UGCPolicy()
+	p1.RequireCrossOriginAnonymous(true)
+	p1.AllowAttrs("crossorigin").Globally()
+
 	tests := []test{
 		{
 			in:       `<img src="/path" />`,
@@ -3726,6 +3730,16 @@ func TestIssue107(t *testing.T) {
 					tt.expected,
 				)
 			}
+			out = p1.Sanitize(tt.in)
+			if out != tt.expected {
+				t.Errorf(
+					"test %d failed with policy p1;\ninput   : %s\noutput  : %s\nexpected: %s",
+					ii,
+					tt.in,
+					out,
+					tt.expected,
+				)
+			}
 			wg.Done()
 		}(ii, tt)
 	}