Instantiating regex is expensive. Should always keep it global for speed. This PR improves performance over 2x times.

Original speed:

BenchmarkPath              10000        106790 ns/op
BenchmarkName              20000         62479 ns/op
BenchmarkHTMLAllowed        2000       1149116 ns/op

Improvements in this pull request:

BenchmarkPath              30000         51607 ns/op
BenchmarkName             100000         23429 ns/op
BenchmarkHTMLAllowed        3000        501696 ns/op

Benchmarked on Go1.4.1

Mailto links have the form <a href="mailto:[email protected]">...</a> with no // after the colon. This removes the // from the expression to make mailto: href attributes work correctly.

Path function is dealing correctly with this vector "http://localhost:8080/?file=..\etc/passwd" but when you use "http://localhost:8080/?file=../etc/passwd" the result path will be "/etc/passwd"

I have encountered a strange quote character in a recipe I was trying to crawl. I though you might be interested in adding it to your sanitizing list.

As stated in PR https://github.com/kennygrant/sanitize/pull/22, sanitize package function was missing of Accents()-like function to transform strings to their umlauts variant. That PR has been merged, but was misinterpreting the way - I personally think - Accents() function was thought. This commit should make some clarifications about their real distinction.

<span style="color:#999;font-size:8px;">
        <script type="text/javascript">
            //something
        </script>
</span>

how to remove all of <script>...</script>?

Go code:

package main

import (
    "fmt"

    "github.com/kennygrant/sanitize"
)

func main() {
    content := `<p>LINE 1<br />
LINE 2<br />
LINE 3</p>`
    fmt.Println(sanitize.HTML(content))
}

Will provide:

LINE 1LINE 2LINE 3

New lines are missing. I can fix this by myself, but want to be sure if you'll merge my PR as latest commit is 1 year old.

just tweaking documentation to match GoLang's RFC specs for commenting:

http://blog.golang.org/godoc-documenting-go-code

FYI, I also use Dave Cheney's godoc2md package for documenting my projects:

https://github.com/davecheney/godoc2md

You can see an example of how it outputs on another project I work on:

https://github.com/eduncan911/es ^- i did not create this README.md, the godoc2md did from my code's documentation.

It's nice as you can change your "Usage:" comments to actually give example code, and it shows up as examples.

If I'm not mistaken, the html package has moved a few weeks ago to https://godoc.org/golang.org/x/net/html

This causes an error on one of my application's build step, so I'd be glad if you could consider to update the dependency path. I tested my repo after making the changes and it passed.

The list of accents there is more complete, and will give a better translation.

Path to file: https://github.com/beastaugh/urlify/blob/master/lib/urlify/accents.rb

package main

import (
	"fmt"

	"github.com/kennygrant/sanitize"
)

func main() {
	input1 := `<iframe></iframe><script>alert('uh oh');</script><p>hello</p>`
	input2 := `<iframe /><script>alert('uh oh');</script><p>hello</p>`

	allowedTags := []string{"p"}

	output1, _ := sanitize.HTMLAllowing(input1, allowedTags)
	fmt.Println(output1) // <p>hello</p>

	output2, _ := sanitize.HTMLAllowing(input2, allowedTags)
	fmt.Println(output2) // &lt;script&gt;alert(&#39;uh oh&#39;);&lt;/script&gt;&lt;p&gt;hello&lt;/p&gt;
}

This has the makings of a great sanitization library but right now it appears to have some vulnerabilities, based on a quick read-through of the clear and well-written code.

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md

To quote the first cheatsheet: Even if you use an HTML entity encoding method everywhere, you are still most likely vulnerable to XSS. You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.

It might be useful to develop a test suite based on this: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

For example, escaping only <> isn't enough. OWASP used to have a list (as follows), but now even this isn't sufficient.

&  -> &
< -> &lt;
> -> &gt;
" -> &quot;
' -> &#x27;
/ -> &#x2F;
\n ->  <br>

Also have a look at how https://github.com/microcosm-cc/bluemonday does it.

This is another OWASP cheat sheet that might be valuable:

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md