Skip to content

Commit

Permalink
Merge pull request #115 from zeripath/empty-query-keys
Browse files Browse the repository at this point in the history 
Sanitize should not add forcibly add values to query components
  • Loading branch information
@buro9
buro9 committed Apr 9, 2021
2 parents 1c2d09d + 506247d commit 9de6a94
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 10 deletions.
21 changes: 13 additions & 8 deletions sanitize.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,8 +124,9 @@ func escapeUrlComponent(val string) string {

// Query represents a query
type Query struct {
Key string
Value string
Key string
Value string
HasValue bool
}

func parseQuery(query string) (values []Query, err error) {
Expand All @@ -140,8 +141,10 @@ func parseQuery(query string) (values []Query, err error) {
continue
}
value := ""
hasValue := false
if i := strings.Index(key, "="); i >= 0 {
key, value = key[:i], key[i+1:]
hasValue = true
}
key, err1 := url.QueryUnescape(key)
if err1 != nil {
Expand All @@ -158,8 +161,9 @@ func parseQuery(query string) (values []Query, err error) {
continue
}
values = append(values, Query{
Key: key,
Value: value,
Key: key,
Value: value,
HasValue: hasValue,
})
}
return values, err
Expand All @@ -169,8 +173,10 @@ func encodeQueries(queries []Query) string {
var b strings.Builder
for i, query := range queries {
b.WriteString(url.QueryEscape(query.Key))
b.WriteString("=")
b.WriteString(url.QueryEscape(query.Value))
if query.HasValue {
b.WriteString("=")
b.WriteString(url.QueryEscape(query.Value))
}
if i < len(queries)-1 {
b.WriteString("&")
}
Expand Down Expand Up @@ -965,7 +971,6 @@ func (p *Policy) matchRegex(elementName string) (map[string]attrPolicy, bool) {
return aps, matched
}


// normaliseElementName takes a HTML element like <script> which is user input
// and returns a lower case version of it that is immune to UTF-8 to ASCII
// conversion tricks (like the use of upper case cyrillic i scrİpt which a
Expand All @@ -983,4 +988,4 @@ func normaliseElementName(str string) string {
`"`),
`"`,
)
}
}
4 changes: 2 additions & 2 deletions sanitize_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,8 +152,8 @@ func TestLinks(t *testing.T) {
expected: `<img src="giraffe.gif"/>`,
},
{
in: `<img src="giraffe.gif?height=500&width=500" />`,
expected: `<img src="giraffe.gif?height=500&width=500"/>`,
in: `<img src="giraffe.gif?height=500&width=500&flag" />`,
expected: `<img src="giraffe.gif?height=500&width=500&flag"/>`,
},
}

Expand Down

0 comments on commit 9de6a94

Please sign in to comment.