func ExamplePolicy_Sanitize() { // UGCPolicy is a convenience policy for user generated content. p := bluemonday.UGCPolicy() // string in, string out html := p.Sanitize(`<a onblur="alert(secret)" href="http://www.google.com">Google</a>`) fmt.Println(html) // Output: //<a href="http://www.google.com" rel="nofollow">Google</a> }
func ExamplePolicy_SanitizeReader() { // UGCPolicy is a convenience policy for user generated content. p := bluemonday.UGCPolicy() // io.Reader in, bytes.Buffer out r := strings.NewReader(`<a onblur="alert(secret)" href="http://www.google.com">Google</a>`) buf := p.SanitizeReader(r) fmt.Println(buf.String()) // Output: //<a href="http://www.google.com" rel="nofollow">Google</a> }
func ExamplePolicy_SanitizeBytes() { // UGCPolicy is a convenience policy for user generated content. p := bluemonday.UGCPolicy() // []byte in, []byte out b := []byte(`<a onblur="alert(secret)" href="http://www.google.com">Google</a>`) b = p.SanitizeBytes(b) fmt.Println(string(b)) // Output: //<a href="http://www.google.com" rel="nofollow">Google</a> }
func New(file string, cfg *config.Config) (md Markdown, err error) { if path.Ext(file) == "" { file = path.Join(file, cfg.Index) } md = Markdown{Path: path.Join(cfg.Basedir, file)} if !md.IsValid() { return md, errors.New(fmt.Sprintf("invalid extension: %s", path.Ext(md.Path))) } md.Markdown, err = ioutil.ReadFile(md.Path) md.Body = string(bluemonday.UGCPolicy().SanitizeBytes(blackfriday.MarkdownCommon(md.Markdown))) ll.Debug(nil, map[string]interface{}{ "at": "markdown.New", "file": file, "cfg": fmt.Sprintf("%+v", *cfg), "md": fmt.Sprintf("%+v", md), }) return }
func Example() { // Create a new policy p := bluemonday.NewPolicy() // Add elements to a policy without attributes p.AllowElements("b", "strong") // Add elements as a virtue of adding an attribute p.AllowAttrs("nowrap").OnElements("td", "th") // Attributes can either be added to all elements p.AllowAttrs("dir").Globally() //Or attributes can be added to specific elements p.AllowAttrs("value").OnElements("li") // It is ALWAYS recommended that an attribute be made to match a pattern // XSS in HTML attributes is a very easy attack vector // \p{L} matches unicode letters, \p{N} matches unicode numbers p.AllowAttrs("title").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).Globally() // You can stop at any time and call .Sanitize() // Assumes that string htmlIn was passed in from a HTTP POST and contains // untrusted user generated content htmlIn := `untrusted user generated content <body onload="alert('XSS')">` fmt.Println(p.Sanitize(htmlIn)) // And you can take any existing policy and extend it p = bluemonday.UGCPolicy() p.AllowElements("fieldset", "select", "option") // Links are complex beasts and one of the biggest attack vectors for // malicious content so we have included features specifically to help here. // This is not recommended: p = bluemonday.NewPolicy() p.AllowAttrs("href").Matching(regexp.MustCompile(`(?i)mailto|https?`)).OnElements("a") // The regexp is insufficient in this case to have prevented a malformed // value doing something unexpected. // This will ensure that URLs are not considered invalid by Go's net/url // package. p.RequireParseableURLs(true) // If you have enabled parseable URLs then the following option will allow // relative URLs. By default this is disabled and will prevent all local and // schema relative URLs (i.e. `href="//www.google.com"` is schema relative). p.AllowRelativeURLs(true) // If you have enabled parseable URLs then you can whitelist the schemas // that are permitted. Bear in mind that allowing relative URLs in the above // option allows for blank schemas. p.AllowURLSchemes("mailto", "http", "https") // Regardless of whether you have enabled parseable URLs, you can force all // URLs to have a rel="nofollow" attribute. This will be added if it does // not exist. // This applies to "a" "area" "link" elements that have a "href" attribute p.RequireNoFollowOnLinks(true) // We provide a convenience function that applies all of the above, but you // will still need to whitelist the linkable elements: p = bluemonday.NewPolicy() p.AllowStandardURLs() p.AllowAttrs("cite").OnElements("blockquote") p.AllowAttrs("href").OnElements("a", "area") p.AllowAttrs("src").OnElements("img") // Policy Building Helpers // If you've got this far and you're bored already, we also bundle some // other convenience functions p = bluemonday.NewPolicy() p.AllowStandardAttributes() p.AllowImages() p.AllowLists() p.AllowTables() }