Sanitization not applied recursively

[bkimminich]

Sanitization is not applied recursively, leading to a vulnerability to certain masking attacks. Example:

I am not harmless: <<img src="csrf-attack"/>img src="csrf-attack"/> is sanitized to I am not harmless: <img src="csrf-attack"/>

Mitigation: Run sanitization recursively until the input html matches the output html.

[boutell]

Well, crappity. This appears to be a bug upstream in htmlparser2:

fb55/htmlparser2#105

I will examine whether I can solve it with recursion without busting the rest of my test suite. That will be slow of course, but necessary for now.

[boutell]

I published a fix based on recursion and opened an issue to get this fixed upstream.

Thanks!

[boutell]

This issue has been resolved better through the use of the decodeEntities: true option of htmlparser2. Recursive invocation is no longer required to pass the test suite.