qvalentin/wormspace
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

make challenge easier

Browse source
This commit is contained in:
qvalentin 2025-03-08 10:23:47 +01:00
parent 32253fe7eb
commit ae1dcdf4a1
1 changed files with 56 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

112
main.go
View file

@ -17,6 +17,62 @@ import (
"golang.org/x/net/html" "golang.org/x/net/html"
) )
// sanitizeHTML filters the input, allowing only <img> and <a> tags with "style" and "onload" attributes.
func sanitizeHTML(input string) string {
doc, err := html.Parse(strings.NewReader(input))
if err != nil {
return ""
}
var buf bytes.Buffer
processNode(&buf, doc)
str := buf.String()
cleaned := strings.ReplaceAll(str, "onreadystatechange", "")
return cleaned
}
// processNode recursively processes nodes, allowing only specific elements and attributes.
func processNode(buf *bytes.Buffer, n *html.Node) {
if n.Type == html.ElementNode {
if n.Data != "img" && n.Data != "a" {
// Skip non-allowed tags but still process children
for c := n.FirstChild; c != nil; c = c.NextSibling {
processNode(buf, c)
}
return
}
// Start tag
buf.WriteString("<" + n.Data)
// Filter attributes
for _, attr := range n.Attr {
if attr.Key == "onerror" || attr.Key == "src" || attr.Key == "href" {
buf.WriteString(fmt.Sprintf(` %s="%s"`, attr.Key, attr.Val))
}
}
buf.WriteString(">")
// Process child nodes (for <a> which can have text)
for c := n.FirstChild; c != nil; c = c.NextSibling {
processNode(buf, c)
}
// Close tag
buf.WriteString("</" + n.Data + ">")
} else if n.Type == html.TextNode {
// Preserve text inside <a> tags
buf.WriteString(n.Data)
}
// Process other children
for c := n.FirstChild; c != nil; c = c.NextSibling {
processNode(buf, c)
}
}
type User struct { type User struct {
ID int ID int
Name string Name string
@ -117,62 +173,6 @@ func getHeros(username string) []string {
return heros return heros
} }
// sanitizeHTML filters the input, allowing only <img> and <a> tags with "style" and "onload" attributes.
func sanitizeHTML(input string) string {
doc, err := html.Parse(strings.NewReader(input))
if err != nil {
return ""
}
var buf bytes.Buffer
processNode(&buf, doc)
str := buf.String()
cleaned := strings.ReplaceAll(str, "onreadystatechange", "")
return cleaned
}
// processNode recursively processes nodes, allowing only specific elements and attributes.
func processNode(buf *bytes.Buffer, n *html.Node) {
if n.Type == html.ElementNode {
if n.Data != "img" && n.Data != "a" {
// Skip non-allowed tags but still process children
for c := n.FirstChild; c != nil; c = c.NextSibling {
processNode(buf, c)
}
return
}
// Start tag
buf.WriteString("<" + n.Data)
// Filter attributes
for _, attr := range n.Attr {
if attr.Key == "onerror" || attr.Key == "src" || attr.Key == "href" {
buf.WriteString(fmt.Sprintf(` %s="%s"`, attr.Key, attr.Val))
}
}
buf.WriteString(">")
// Process child nodes (for <a> which can have text)
for c := n.FirstChild; c != nil; c = c.NextSibling {
processNode(buf, c)
}
// Close tag
buf.WriteString("</" + n.Data + ">")
} else if n.Type == html.TextNode {
// Preserve text inside <a> tags
buf.WriteString(n.Data)
}
// Process other children
for c := n.FirstChild; c != nil; c = c.NextSibling {
processNode(buf, c)
}
}
func addPost(w http.ResponseWriter, r *http.Request) { func addPost(w http.ResponseWriter, r *http.Request) {
user := getUser(r) user := getUser(r)
if user == nil { if user == nil {