Deal with non-closing tags

2010-10-31 23:06:11 +02:00 · 2010-10-31 23:06:11 +02:00 · 6de5d2e8d2
commit 6de5d2e8d2
parent 99a0388dc2
2 changed files with 6 additions and 3 deletions
--- a/Text/HTML/SanitizeXSS.hs
+++ b/Text/HTML/SanitizeXSS.hs
@ -21,7 +21,10 @@ sanitizeXSS = renderTagsOptions renderOptions {
    safeTags m [] =
        concatMap go $ Map.toList m
      where
-        go (name, i) = replicate i $ TagClose name
+        go (name, i)
+            | noClosing name = []
+            | otherwise = replicate i $ TagClose name
+        noClosing = flip elem ["br", "img"]
    safeTags m (t@(TagClose name):tags)
        | safeTagName name =
            case Map.lookup name m of
--- a/test.hs
+++ b/test.hs
@ -1,8 +1,8 @@
 import Text.HTML.SanitizeXSS

 main = do
-  let test = " <a href='http://safe.com'>safe</a><a href='unsafe://hack.com'>anchor</a> <img src='evil://evil.com' /> <unsafe></foo> <bar /> <br></br> <b>Unbalanced</div>"
+  let test = " <a href='http://safe.com'>safe</a><a href='unsafe://hack.com'>anchor</a> <img src='evil://evil.com' /> <unsafe></foo> <bar /> <br></br> <b>Unbalanced</div><img src='http://safe.com'>"
  let actual = (sanitizeXSS test)
-  let expected = " <a href=\"http://safe.com\">safe</a><a>anchor</a> <img />   <br /> <b>Unbalanced</b>"
+  let expected = " <a href=\"http://safe.com\">safe</a><a>anchor</a> <img />   <br /> <b>Unbalanced<img src=\"http://safe.com\"></b>"
  putStrLn $ "testing: " ++ test
  putStrLn $ if actual == expected then "pass" else "failure\n" ++ "\nexpected:" ++ (show expected) ++ "\nactual:  " ++ (show actual)