-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
false positive 'aaa<bbb' #41
Comments
@revelt thanks for reporting! I would not consider this incorrect behavior for three reasons. One, since the text does not close the opening tag, it is still dangerous HTML. Imagine this:
If Two, that Finally, the third reason is that PHP does it this way as well. You can see the behavior yourself here. |
I see your points. The main difference between our thinking is I assume nothing from the input string, it can or can't be HTML, it can be encoded or not. I came looking for a stripping library with these expectations and obviously they didn't match :) I guess I'll have to code up my own library that does what I need. Anyway, thank you for prompt investigation and resolve. |
hi guys,
check this out:
See this on Runkit: https://runkit.com/embed/nfxue95dyxv5
This is wrong isn't it?
The text was updated successfully, but these errors were encountered: