You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi @jhy and first of all thanks for the amazing work with the library.
I'm facing a situation where I would need the Entities.EscapeMode.none option.
In this pull request you say:
If you want plain text output, use one of the .text() methods. If one of those doesn't fit the use case, I'd be happy to hear more about the use case and we can explore ways to improve those.
I was using .text() until now, but I found a weird behaviour. If the input is something like: <script src=\\\"https://xss.cacker.io/\\\">removed script </script>
Then JSoup will include it in the document, and when extracting the text we will get: <script src=\"https://xss.cacker.io/\">removed script </script>
This 1) turns encoded-non dangerous input to input that could be dangerous, and most importantly 2) modifies user input. My goal would be to sanitize input but modify it as little as possible and only based on the data in the SafeLists. Data is not always outputted after using Jsoup, but sometimes also saved into a DB, and having encoded text is not desirable.
I know JSoup tries to do both output encoding (with valid HTML) and input sanitization, but in my case I only need Input Sanitization, so it would be really great to have a flag that allows me to do that.
What could be a way to solve this issue I have?
Thanks in advance.
The text was updated successfully, but these errors were encountered:
Hi @jhy and first of all thanks for the amazing work with the library.
I'm facing a situation where I would need the Entities.EscapeMode.none option.
In this pull request you say:
I was using .text() until now, but I found a weird behaviour. If the input is something like:
<script src=\\\"https://xss.cacker.io/\\\">removed script </script>Then JSoup will include it in the document, and when extracting the text we will get:
<script src=\"https://xss.cacker.io/\">removed script </script>This 1) turns encoded-non dangerous input to input that could be dangerous, and most importantly 2) modifies user input. My goal would be to sanitize input but modify it as little as possible and only based on the data in the SafeLists. Data is not always outputted after using Jsoup, but sometimes also saved into a DB, and having encoded text is not desirable.
I know JSoup tries to do both output encoding (with valid HTML) and input sanitization, but in my case I only need Input Sanitization, so it would be really great to have a flag that allows me to do that.
What could be a way to solve this issue I have?
Thanks in advance.
The text was updated successfully, but these errors were encountered: