Merge pull request #4 from Josgu/main

yangyin5127 · web-flow · commit 341da793c283 · 2025-03-21T16:06:08.000+08:00
fix: 防止获取标签属性panic
diff --git a/xss.go b/xss.go
@@ -62,6 +62,7 @@ type AttrResult struct {
 	Closing bool
 }
 
+// GetAttrs 获取标签属性
 func GetAttrs(html string) AttrResult {
 	i := spaceIndex(html)
 	if i == -1 {
@@ -72,7 +73,10 @@ func GetAttrs(html string) AttrResult {
 	}
 	html = strings.TrimSpace(html[i+1 : len(html)-1])
 
-	isClosing := html[len(html)-1] == '/'
+	var isClosing = false
+	if len(html) > 0 {
+		isClosing = html[len(html)-1] == '/'
+	}
 
 	if isClosing {
 		html = strings.TrimSpace(html[0 : len(html)-1])
diff --git a/xss_test.go b/xss_test.go
@@ -1329,6 +1329,17 @@ func TestOnIgnoreTagAttr(t *testing.T) {
 	}
 }
 
+// TestOnIgnoreWhiteListTagNullAttr 测试忽略tag 空属性
+func TestOnIgnoreWhiteListTagNullAttr(t *testing.T) {
+	source := "<a    >bb</a>"
+
+	html := FilterXSS(source, XssOption{WhiteList: GetDefaultWhiteList()})
+
+	if html != "<a>bb</a>" {
+		t.Errorf("TestOnIgnoreWhiteListTagNullAttr error")
+	}
+}
+
 func TestOnIgnoreTagAttrWithReturn(t *testing.T) {
 	source := "<a href=\"#\" target=\"_blank\" checked data-a=\"b\">hi</a href=\"d\">"
 
