Regression of #56 - strings.ToLower allows input of SCRIPT tag

[grafana-dee]

Reported by @Ry0taK at 2021-03-27T01:00

I'm a security researcher who has been fuzzing famous XSS sanitizers.

While fuzzing the sanitizers, my fuzzer triggered an alert that shows bluemonday is vulnerable to bypass.
After some checks, I confirmed that this is a vulnerability, so I'm reporting it here.

While checking the issues on the bluemonday repository, I realized that this is the same issue as #56 (Which must be resolved already as it's closed.)
As there is no doubt this vulnerability occurred again in somewhere of previous commits, I decided to find it.
And it was a commit that added vulnerable code again: 876b478#diff-c62e8d687f2dd220893e9990667b682f3261099565c254e3d236178f07729920
(It's now moved to here:

bluemonday/sanitize.go

Line 232 in 22ed312

mostRecentlyStartedToken = strings.ToLower(token.Data)

)

To reproduce this, please use the following steps:

1. Download the attached bluemonday.zip
2. Extract it.
3. Run test.go: "go run test.go"
4. Sanitization bypass will be shown.

If you are going to fix this issue, please let me know. I can assign CVE to notify this issue to users.

Best regards,
RyotaK

bluemonkey.zip