-
-
Save gregxsunday/4b08ea3f4b3961ac9cefcc3673b7c3c5 to your computer and use it in GitHub Desktop.
Source code relevant to this video writeup: https://www.youtube.com/watch?v=H1TVk3HhL9E
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!--!> <h1 value="--><a href="javascript:alert(document.domain)">link |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "fmt" | |
| "io/ioutil" | |
| "log" | |
| "strings" | |
| "golang.org/x/net/html" | |
| ) | |
| func readHtmlFromFile(fileName string) (string, error) { | |
| bs, err := ioutil.ReadFile(fileName) | |
| if err != nil { | |
| return "", err | |
| } | |
| return string(bs), nil | |
| } | |
| func is_allowed_html(text string) bool { | |
| tkn := html.NewTokenizer(strings.NewReader(text)) | |
| for { | |
| tt := tkn.Next() | |
| switch { | |
| case tt == html.ErrorToken: | |
| return true | |
| case tt == html.StartTagToken: | |
| t := tkn.Token() | |
| if t.Data == "h1" { | |
| continue | |
| } else { | |
| return false | |
| } | |
| } | |
| } | |
| } | |
| func main() { | |
| fileName := "index.html" | |
| text, err := readHtmlFromFile(fileName) | |
| if err != nil { | |
| log.Fatal(err) | |
| } | |
| valid := is_allowed_html(text) | |
| fmt.Println(valid) | |
| // html is safe, we can proceed | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment