Open
Description
What is this feature about (expected vs actual behaviour)?
When HTML is sent as part of a JSON request, xss_clean has some issues with quotations. Specifically having issues with anchor tag attributes being stripped away with the _filter_attributes function when HTML is nested and there are double-escaped quotations.
e.g. => A JSON string like
"{\"text\": \"<a href=\\\"https://google.com\\\">Google</a>\"}" returns as {\"text\": \"<a >Google</a>\"}"
Any additional information?
I think this could possibly be solved by updating the regex on line 995 in _filter_attributes to include \" as a potential attribute quote.
Maybe by updating the capture group to ("|'|\") as follows
'#\s*[\p{L}\d_\-\[\]]+\s*=\s*("|\'|\\")(?:[^\1]*?)\\1#u'
Metadata
Metadata
Assignees
Labels
No labels