var sanitizeHtml = require("sanitize-html");
const ALLOWED_SCHEMES = ['http', 'https'];
const htmlStr = ''"><meta http-equiv="refresh" content="0;url=file:///etc/passwd" />';
const cleanedHTML = sanitizeHtml(htmlStr, {
allowedAttributes: false,
allowedTags: false,
allowVulnerableTags: true,
allowedSchemes: ALLOWED_SCHEMES,
allowProtocolRelative: false,
disallowedTagsMode: 'completelyDiscard',
allowedSchemesByTag: {
img: [...ALLOWED_SCHEMES, 'data']
},
});
console.log(cleanedHTML);
Actual behavior
'"><meta http-equiv="refresh" content="0;url=file:///etc/passwd" />
Expected behavior
'"><meta http-equiv="refresh" content="0" />
**Description of the issue: **
Even though I have configured to allow only ‘http’ and ‘https’ schemes, ‘file’ scheme is getting allowed in content="0;url=file:///etc/passwd attribute
Details:
Version of Node.js: 18 LTS
2.13.1 version of sanitize-html npm dependency https://www.npmjs.com/package/sanitize-html