security

package
v0.20.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 22, 2026 License: GPL-3.0 Imports: 3 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var JavascriptURIPattern = regexp.MustCompile(
	`(?i)=[\s\x0b]*["']?[\s\x0b]*` +
		`(?:` +
		`(?:&(?:amp;)?#x0*(?:9|a|b|c|d|20);?)` +
		`|(?:&(?:amp;)?#0*(?:9|10|11|12|13|32);?)` +
		`|(?:&(?:tab|newline);)` +
		`|[\s\x0b]` +
		`)*` +
		`javascript:`,
)

JavascriptURIPattern matches javascript: in attribute contexts only, including HTML-entity-encoded leading whitespace bypasses (tab, LF, VT, FF, CR, space) in hex, decimal, and named forms. Semicolons on numeric entities are optional to match legacy browser behaviour. Double-encoded entity prefixes (&) are also matched.

The pattern avoids false positives on plain text like "JavaScript: a language" by requiring an = before the value (attribute context).

View Source 
var SuspiciousPageHTMLTokens = []string{
	"<script",
	"onerror=",
	"onload=",
	"<iframe",
}

SuspiciousPageHTMLTokens lists substrings that indicate potentially malicious markup in user-supplied page HTML.

Functions

func DetectSuspiciousHTMLTokens added in v0.18.1 

func DetectSuspiciousHTMLTokens(body string) []string

DetectSuspiciousHTMLTokens returns the subset of SuspiciousPageHTMLTokens found in body (case-insensitive), plus "javascript:" if the URI pattern matches. Callers use the result to warn or block page saves.

func SanitizePageHTML 

func SanitizePageHTML(raw string) string

SanitizePageHTML sanitizes rich-text page HTML with a conservative UGC policy.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.