Merge pull request #30 from M4tteoP/fix_isBlackAttr

fix: attr with multiple nulls

xss_helpers.go

@@ -13,14 +13,14 @@ func isBlackTag(s string) bool {
 		return false
 	}
 
-	upperS := strings.ToUpper(strings.ReplaceAll(s, "\x00", ""))
+	sUpperWithoutNulls := strings.ToUpper(strings.ReplaceAll(s, "\x00", ""))
 	for i := 0; i < len(blackTags); i++ {
-		if upperS == blackTags[i] {
+		if sUpperWithoutNulls == blackTags[i] {
 			return true
 		}
 	}
 
-	switch upperS {
+	switch sUpperWithoutNulls {
 	// anything SVG or XSL(t) related
 	case "SVT", "XSL":
 		return true
@@ -30,12 +30,12 @@ func isBlackTag(s string) bool {
 }
 
 func isBlackAttr(s string) int {
-	length := len(s)
+	sUpperWithoutNulls := strings.ToUpper(strings.ReplaceAll(s, "\x00", ""))
+
+	length := len(sUpperWithoutNulls)
 	if length < 2 {
 		return attributeTypeNone
 	}
-
-	sUpperWithoutNulls := strings.ToUpper(strings.ReplaceAll(s, "\x00", ""))
 	if length >= 5 {
 		if sUpperWithoutNulls == "XMLNS" || sUpperWithoutNulls == "XLINK" {
 			// got xmlns or xlink tags

xss_helpers_test.go

@@ -0,0 +1,47 @@
+package libinjection
+
+import (
+	"testing"
+)
+
+func TestIsBlackAttr(t *testing.T) {
+	tests := []struct {
+		name string
+		attr string
+		want int
+	}{
+		{
+			name: "Test with black attribute",
+			attr: "xmlns",
+			want: attributeTypeBlack,
+		},
+		{
+			name: "Test with non-black attribute",
+			attr: "class",
+			want: attributeTypeNone,
+		},
+		{
+			name: "Test with JavaScript event handler",
+			attr: "onclick",
+			want: attributeTypeBlack,
+		},
+		{
+			name: "Test with short attribute",
+			attr: "a",
+			want: attributeTypeNone,
+		},
+		{
+			name: "Test with long null attribute that will be stripped",
+			attr: "a\x00\x00\x00\x00\x00",
+			want: attributeTypeNone,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := isBlackAttr(tt.attr); got != tt.want {
+				t.Errorf("isBlackAttr() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}