TDvorak/MyClub
1
0
Fork 0
mirror of https://github.com/Dvorinka/MyClubServer.git synced 2026-06-03 18:22:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
12cba639b9c49d42ad4f9ceb08bc66ea7dc9bbc2
MyClub/pkg/utils/sanitize.go
T
Tomáš Dvořák 12cba639b9 upload
2025-10-16 13:32:05 +02:00

83 lines
2.5 KiB
Go
Raw Blame History

package utils
import (
"regexp"
"strings"
)
// SanitizeHTML removes potentially dangerous HTML tags and attributes
// This is a basic implementation. For production, consider using bluemonday library
func SanitizeHTML(html string) string {
// Remove script tags and content
reScript := regexp.MustCompile(`(?i)<script[^>]*>.*?</script>`)
html = reScript.ReplaceAllString(html, "")
// Remove inline event handlers (onclick, onerror, etc.)
reEvents := regexp.MustCompile(`(?i)\s*on\w+\s*=\s*["'][^"']*["']`)
html = reEvents.ReplaceAllString(html, "")
// Remove javascript: URLs
reJSURL := regexp.MustCompile(`(?i)javascript:`)
html = reJSURL.ReplaceAllString(html, "")
// Remove iframe tags (can be optionally allowed if needed)
reIframe := regexp.MustCompile(`(?i)<iframe[^>]*>.*?</iframe>`)
html = reIframe.ReplaceAllString(html, "")
// Remove object/embed tags
reObject := regexp.MustCompile(`(?i)<(object|embed)[^>]*>.*?</\1>`)
html = reObject.ReplaceAllString(html, "")
// Remove style tags (if CSS injection is a concern)
// Uncomment if you want to remove inline styles
// reStyle := regexp.MustCompile(`(?i)<style[^>]*>.*?</style>`)
// html = reStyle.ReplaceAllString(html, "")
return strings.TrimSpace(html)
}
// SanitizeString removes HTML tags entirely and returns plain text
func SanitizeString(input string) string {
// Remove all HTML tags
reHTML := regexp.MustCompile(`<[^>]*>`)
text := reHTML.ReplaceAllString(input, " ")
// Normalize whitespace
text = strings.Join(strings.Fields(text), " ")
return strings.TrimSpace(text)
}
// ValidateURL checks if a URL is safe (http/https only)
func ValidateURL(url string) bool {
if url == "" {
return true
}
lower := strings.ToLower(strings.TrimSpace(url))
return strings.HasPrefix(lower, "http://") || strings.HasPrefix(lower, "https://") || strings.HasPrefix(lower, "/")
}
// SanitizeFilename removes dangerous characters from filenames
func SanitizeFilename(filename string) string {
// Remove path traversal attempts
filename = strings.ReplaceAll(filename, "..", "")
filename = strings.ReplaceAll(filename, "/", "")
filename = strings.ReplaceAll(filename, "\\", "")
// Allow only safe characters
re := regexp.MustCompile(`[^a-zA-Z0-9._-]`)
filename = re.ReplaceAllString(filename, "_")
// Limit length
if len(filename) > 200 {
filename = filename[:200]
}
return filename
}
// RemoveNullBytes removes null bytes that can cause issues
func RemoveNullBytes(s string) string {
return strings.ReplaceAll(s, "\x00", "")
}
Reference in New Issue View Git Blame Copy Permalink