diff --git a/internal/reader/sanitizer/sanitizer.go b/internal/reader/sanitizer/sanitizer.go index 38c06ce9..a491aec1 100644 --- a/internal/reader/sanitizer/sanitizer.go +++ b/internal/reader/sanitizer/sanitizer.go @@ -127,9 +127,11 @@ func Sanitize(baseURL, input string) string { attrNames, htmlAttributes := sanitizeAttributes(baseURL, tagName, token.Attr) if hasRequiredAttributes(tagName, attrNames) { if len(attrNames) > 0 { + // Rewrite the start tag with allowed attributes. buffer.WriteString("<" + tagName + " " + htmlAttributes + ">") } else { - buffer.WriteString(token.String()) + // Rewrite the start tag without any attributes. + buffer.WriteString("<" + tagName + ">") } tagStack = append(tagStack, tagName) @@ -138,7 +140,7 @@ func Sanitize(baseURL, input string) string { case html.EndTagToken: if len(blockedStack) == 0 { if isValidTag(tagName) && slices.Contains(tagStack, tagName) { - buffer.WriteString(token.String()) + buffer.WriteString("") } } else { if blockedStack[len(blockedStack)-1] == tagName { @@ -155,7 +157,7 @@ func Sanitize(baseURL, input string) string { if len(attrNames) > 0 { buffer.WriteString("<" + tagName + " " + htmlAttributes + "/>") } else { - buffer.WriteString(token.String()) + buffer.WriteString("<" + tagName + "/>") } } } diff --git a/internal/reader/sanitizer/sanitizer_test.go b/internal/reader/sanitizer/sanitizer_test.go index 07044bf1..cd5250a0 100644 --- a/internal/reader/sanitizer/sanitizer_test.go +++ b/internal/reader/sanitizer/sanitizer_test.go @@ -685,3 +685,13 @@ func TestHiddenParagraph(t *testing.T) { t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) } } + +func TestAttributesAreStripped(t *testing.T) { + input := `

Some text.


Test.

` + expected := `

Some text.


Test.

` + + output := Sanitize("http://example.org/", input) + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +}