Don't duplicate attrs if multiple global policies allow them

Closes #208
microcosm-cc · Jul 4, 2024 · 30fb5d7 · 30fb5d7
1 parent e244202
commit 30fb5d7
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/sanitize.go b/sanitize.go
@@ -529,9 +529,11 @@ attrsLoop:
 				if ap.regexp != nil {
 					if ap.regexp.MatchString(htmlAttr.Val) {
 						cleanAttrs = append(cleanAttrs, htmlAttr)
+						continue attrsLoop
 					}
 				} else {
 					cleanAttrs = append(cleanAttrs, htmlAttr)
+					continue attrsLoop
 				}
 			}
 		}

diff --git a/sanitize_test.go b/sanitize_test.go
@@ -4088,3 +4088,23 @@ func TestXSSGo18(t *testing.T) {
 	}
 	wg.Wait()
 }
+
+func TestIssue208(t *testing.T) {
+	// https://github.com/microcosm-cc/bluemonday/issues/208
+
+	p := NewPolicy()
+	p.AllowElements("span")
+	p.AllowAttrs("title").Matching(Paragraph).Globally()
+	p.AllowAttrs("title").Matching(regexp.MustCompile(`.*`)).Globally()
+
+	input := `<span title="a">b</span>`
+	out := p.Sanitize(input)
+	expected := `<span title="a">b</span>`
+	if out != expected {
+		t.Errorf(
+			"test failed;\ninput   : %s\noutput  : %s\nexpected: %s",
+			input,
+			out,
+			expected)
+	}
+}