From f499f7daaecb9cd82e26c0b54460992743acbe0d Mon Sep 17 00:00:00 2001 From: Daniel Vogelheim Date: Thu, 28 Nov 2024 13:39:25 +0100 Subject: [PATCH 01/10] Initial draft. --- lists.txt | 937 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 937 insertions(+) create mode 100644 lists.txt diff --git a/lists.txt b/lists.txt new file mode 100644 index 0000000..482967b --- /dev/null +++ b/lists.txt @@ -0,0 +1,937 @@ +# Elements & attributes # + +This "mostly free-form" document lists elements + attributes in HTML (and +referenced standards, SVG + MathML), and assigns them to one of several groups: + +- other +- script-ish +- frames +- legacy +- harmless + +# Elements # + +## Script-ish ## + +script +name: script, namespace: http://www.w3.org/2000/svg + +## Frames ## + +iframe +frame +frameset +noframes + +## Legacy ## + +applet +object +embed +noembed +layer +nolayer + +## Harmless ## + +b +div +h1 +h2 +h3 +h4 +h5 +h6 +i +p +span +a +abbr +acronym +address +area +article +aside +audio +bdi +bdo +big +blockquote +body +br +button +canvas +caption +center +cite +code +col +colgroup +data +datalist +dd +del +details +dfn +dir +dialog +dl +dt +em +fieldset +figcaption +figure +font +footer +form +head +header +hgroup +hr +html +img +input +ins +kbd +label +legend +li +link +listing +main +map +mark +marquee +menu +meter +nav +nobr +noscript +ol +optgroup +option +output +picture +pre +progress +q +rp +rt +ruby +s +samp +search +section +select +slot +small +source +strike +strong +style +sub +summary +sup +table +tbody +td +template +textarea +tfoot +th +thead +time +title +tr +track +tt +u +ul +var +video +wbr +name: a, namespace: http://www.w3.org/2000/svg +name: circle, namespace: http://www.w3.org/2000/svg +name: clipPath, namespace: http://www.w3.org/2000/svg +name: defs, namespace: http://www.w3.org/2000/svg +name: desc, namespace: http://www.w3.org/2000/svg +name: ellipse, namespace: http://www.w3.org/2000/svg +name: feBlend, namespace: http://www.w3.org/2000/svg +name: feColorMatrix, namespace: http://www.w3.org/2000/svg +name: feComponentTransfer, namespace: http://www.w3.org/2000/svg +name: feComposite, namespace: http://www.w3.org/2000/svg +name: feConvolveMatrix, namespace: http://www.w3.org/2000/svg +name: feDiffuseLighting, namespace: http://www.w3.org/2000/svg +name: feDisplacementMap, namespace: http://www.w3.org/2000/svg +name: feDistantLight, namespace: http://www.w3.org/2000/svg +name: feFlood, namespace: http://www.w3.org/2000/svg +name: feFuncA, namespace: http://www.w3.org/2000/svg +name: feFuncB, namespace: http://www.w3.org/2000/svg +name: feFuncG, namespace: http://www.w3.org/2000/svg +name: feFuncR, namespace: http://www.w3.org/2000/svg +name: feGaussianBlur, namespace: http://www.w3.org/2000/svg +name: feImage, namespace: http://www.w3.org/2000/svg +name: feMerge, namespace: http://www.w3.org/2000/svg +name: feMergeNode, namespace: http://www.w3.org/2000/svg +name: feMorphology, namespace: http://www.w3.org/2000/svg +name: feOffset, namespace: http://www.w3.org/2000/svg +name: fePointLight, namespace: http://www.w3.org/2000/svg +name: feSpecularLighting, namespace: http://www.w3.org/2000/svg +name: feSpotLight, namespace: http://www.w3.org/2000/svg +name: feTile, namespace: http://www.w3.org/2000/svg +name: feTurbulence, namespace: http://www.w3.org/2000/svg +name: filter, namespace: http://www.w3.org/2000/svg +name: g, namespace: http://www.w3.org/2000/svg +name: image, namespace: http://www.w3.org/2000/svg +name: line, namespace: http://www.w3.org/2000/svg +name: linearGradient, namespace: http://www.w3.org/2000/svg +name: marker, namespace: http://www.w3.org/2000/svg +name: mask, namespace: http://www.w3.org/2000/svg +name: metadata, namespace: http://www.w3.org/2000/svg +name: mpath, namespace: http://www.w3.org/2000/svg +name: path, namespace: http://www.w3.org/2000/svg +name: pattern, namespace: http://www.w3.org/2000/svg +name: polygon, namespace: http://www.w3.org/2000/svg +name: polyline, namespace: http://www.w3.org/2000/svg +name: radialGradient, namespace: http://www.w3.org/2000/svg +name: rect, namespace: http://www.w3.org/2000/svg +name: stop, namespace: http://www.w3.org/2000/svg +name: svg, namespace: http://www.w3.org/2000/svg +name: switch, namespace: http://www.w3.org/2000/svg +name: symbol, namespace: http://www.w3.org/2000/svg +name: text, namespace: http://www.w3.org/2000/svg +name: textPath, namespace: http://www.w3.org/2000/svg +name: title, namespace: http://www.w3.org/2000/svg +name: tspan, namespace: http://www.w3.org/2000/svg +name: view, namespace: http://www.w3.org/2000/svg +name: math, "namespace": "http://www.w3.org/1998/Math/MathML", +name: menclose, namespace: http://www.w3.org/1998/Math/MathML +name: merror, "namespace": "http://www.w3.org/1998/Math/MathML", +name: mfenced, namespace: http://www.w3.org/1998/Math/MathML +name: mfrac, "namespace": "http://www.w3.org/1998/Math/MathML", +name: mglyph, "namespace": "http://www.w3.org/1998/Math/MathML", +name: mmultiscripts, "namespace": "http://www.w3.org/1998/Math/MathML", +name: mi, "namespace": "http://www.w3.org/1998/Math/MathML", +name: mn, "namespace": "http://www.w3.org/1998/Math/MathML", +name: mo "namespace": "http://www.w3.org/1998/Math/MathML", +name: mpadded "namespace": "http://www.w3.org/1998/Math/MathML", +name: mphantom, namespace: http://www.w3.org/1998/Math/MathML +name: mroot, "namespace": "http://www.w3.org/1998/Math/MathML", +name: mrow, namespace: http://www.w3.org/1998/Math/MathML +name: ms, namespace: http://www.w3.org/1998/Math/MathML +name: mspace, namespace: http://www.w3.org/1998/Math/MathML +name: msqrt, "namespace": "http://www.w3.org/1998/Math/MathML", +name: mstyle, namespace: http://www.w3.org/1998/Math/MathML +name: msub, "namespace": "http://www.w3.org/1998/Math/MathML", +name: msup, "namespace": "http://www.w3.org/1998/Math/MathML", +name: msubsup, "namespace": "http://www.w3.org/1998/Math/MathML", +name: mtable, namespace: http://www.w3.org/1998/Math/MathML +name: mtd, namespace: http://www.w3.org/1998/Math/MathML +name: mtr, namespace: http://www.w3.org/1998/Math/MathML +name: mtext, namespace: http://www.w3.org/1998/Math/MathML +name: mover, namespace: http://www.w3.org/1998/Math/MathML +name: munder, namespace: http://www.w3.org/1998/Math/MathML +name: munderover, namespace: http://www.w3.org/1998/Math/MathML + +## Other ## + +base +basefont +bgsound +command +fencedframe +image +keygen +meta +param +permission +plaintext +rb +rtc +selectedcontent +xmp +name: annotation, "namespace": "http://www.w3.org/1998/Math/MathML", +name: annotation-xml, "namespace": "http://www.w3.org/1998/Math/MathML", +name: maction, "namespace": "http://www.w3.org/1998/Math/MathML", +name: malignmark, "namespace": "http://www.w3.org/1998/Math/MathML", +name: mprescripts, "namespace": "http://www.w3.org/1998/Math/MathML", +name: semantics, namespace: http://www.w3.org/1998/Math/MathML +name: none, namespace: http://www.w3.org/1998/Math/MathML +name: animate, namespace: http://www.w3.org/2000/svg +name: animateColor, namespace: http://www.w3.org/2000/svg +name: animateMotion, namespace: http://www.w3.org/2000/svg +name: animateTransform, namespace: http://www.w3.org/2000/svg +name: set, namespace: http://www.w3.org/2000/svg +name: feDropShadow, namespace: http://www.w3.org/2000/svg +name: foreignObject, namespace: http://www.w3.org/2000/svg +name: style, namespace: http://www.w3.org/2000/svg +name: use, namespace: http://www.w3.org/2000/svg +name: font, namespace: http://www.w3.org/2000/svg +name: tref, namespace: http://www.w3.org/2000/svg +name: glyph, namespace: http://www.w3.org/2000/svg +name: glyphRef, namespace: http://www.w3.org/2000/svg + +# Attributes # + +## Script-ish ## + +onabort +onafterprint +onanimationstart +onanimationiteration +onanimationend +onauxclick +onbeforecopy +onbeforecut +onbeforeinput +onbeforepaste +onbeforeprint +onbeforetoggle +onbeforeunload +onblur +oncancel +oncanplay +oncanplaythrough +onchange +onclick +onclose +oncontentvisibilityautostatechange +oncontextlost +oncontextmenu +oncontextrestored +oncopy +oncuechange +oncut +ondblclick +ondismiss +ondrag +ondragend +ondragenter +ondragleave +ondragover +ondragstart +ondrop +ondurationchange +onemptied +onended +onerror +onfocus +onfocusin +onfocusout +onformdata +ongotpointercapture +onhashchange +oninput +oninvalid +onkeydown +onkeypress +onkeyup +onlanguagechange +onload +onloadeddata +onloadedmetadata +onloadstart +onlostpointercapture +onmessage +onmessageerror +onmousedown +onmouseenter +onmouseleave +onmousemove +onmouseout +onmouseover +onmouseup +onmousewheel +onmove +ononline +onoffline +onorientationchange +onoverscroll +onpagehide +onpageshow +onpaste +onpause +onplay +onplaying +onpointercancel +onpointerdown +onpointerenter +onpointerleave +onpointermove +onpointerout +onpointerover +onpointerrawupdate +onpointerup +onpopstate +onprogress +onratechange +onreset +onresize +onresolve +onscroll +onscrollend +onsearch +onsecuritypolicyviolation +onseeked +onseeking +onselect +onselectstart +onselectionchange +onshow +onslotchange +onscrollsnapchange +onscrollsnapchanging +onstalled +onstorage +onsuspend +onsubmit +ontimeupdate +ontimezonechange +ontoggle +ontouchstart +ontouchmove +ontouchend +ontouchcancel +ontransitionend +onunload +onvalidationstatuschange +onvolumechange +onwaiting +onwebkitanimationstart +onwebkitanimationiteration +onwebkitanimationend +onwebkitfullscreenchange +onwebkitfullscreenerror +onwebkittransitionend +onwheel + +## Other ## + +aria-actions +aria-activedescendant +aria-atomic +aria-autocomplete +aria-braillelabel +aria-brailleroledescription +aria-busy +aria-checked +aria-colcount +aria-colindex +aria-colindextext +aria-colspan +aria-controls +aria-current +aria-describedby +aria-description +aria-details +aria-disabled +aria-errormessage +aria-expanded +aria-flowto +aria-haspopup +aria-hidden +aria-invalid +aria-keyshortcuts +aria-label +aria-labelledby +aria-labeledby +aria-level +aria-live +aria-modal +aria-multiline +aria-multiselectable +aria-orientation +aria-owns +aria-placeholder +aria-posinset +aria-pressed +aria-readonly +aria-relevant +aria-required +aria-roledescription +aria-rowcount +aria-rowindex +aria-rowindextext +aria-rowspan +aria-selected +aria-setsize +aria-sort +aria-valuemax +aria-valuemin +aria-valuenow +aria-valuetext +aria-virtualcontent +abbr +accept-charset +accept +accesskey +action +adauctionheaders +align +alink +allow +allowfullscreen +allowpaymentrequest +alt +anchor +archive +as +async +attributionsrc +autocapitalize +autocomplete +autocorrect +autofocus +autoplay +axis +background +behavior +bgcolor +blocking +border +bordercolor +browsingtopics +capture +cellpadding +cellspacing +char +challenge +charoff +charset +checked +cite +class +classid +clear +closedby +code +codebase +codetype +color +cols +colspan +command +commandfor +compact +content +contenteditable +controls +controlslist +coords +credentialless +crossorigin +csp +data +data-src +datetime +declare +decoding +default +defer +delegatesfocus +dir +direction +dirname +disabled +disablepictureinpicture +disableremoteplayback +download +draggable +elementtiming +enctype +end +enterkeyhint +event +exportparts +face +fetchpriority +focusgroup +for +form +formaction +formenctype +formmethod +formnovalidate +formtarget +frame +frameborder +headers +height +hidden +high +href +hreflang +hreftranslate +hspace +http-equiv +id +imagesizes +imagesrcset +incremental +inert +inputmode +integrity +interestaction +interesttarget +is +ismap +itemprop +keytype +kind +invisible +label +lang +language +latencyhint +leftmargin +link +list +loading +longdesc +loop +low +lowsrc +manifest +marginheight +marginwidth +max +maxlength +mayscript +media +method +min +minlength +multiple +muted +name +nohref +nomodule +nonce +noresize +noshade +novalidate +nowrap +object +open +optimum +parseparts +part +pattern +placeholder +playsinline +ping +policy +popover +popovertarget +popovertargetaction +poster +preload +property +pseudo +readonly +referrerpolicy +rel +required +rev +reversed +role +rows +rowspan +rules +sandbox +scheme +scope +scrollamount +scrolldelay +scrolling +select +selected +selectedcontentelement +shadowroot +shadowrootmode +shadowrootclonable +shadowrootdelegatesfocus +shadowrootreferencetarget +shadowrootserializable +shape +sharedstoragewritable +size +sizes +slot +span +spellcheck +src +srcset +srcdoc +srclang +standby +start +step +style +summary +tabindex +target +text +title +topmargin +translate +truespeed +preciselocation +privatetoken +type +usemap +valign +value +valuetype +version +vlink +vspace +virtualkeyboardpolicy +webkitdirectory +width +wrap +writingsuggestions +accent +accentunder +columnspan +definitionURL +depth +display +displaystyle +encoding +form +height +largeop +linethickness +lspace +mathbackground +mathcolor +mathsize +mathvariant +maxsize +minsize +movablelimits +rowspan +rspace +scriptlevel +stretchy +symmetric +voffset +width +accumulate +additive +alignment-baseline +amplitude +animate +attributeName +attributeType +autofocus +azimuth +baseFrequency +baseline-shift +baseProfile +begin +bias +buffered-rendering +by +calcMode +clip +clip-path +clip-rule +clipPathUnits +color +color-interpolation +color-interpolation-filters +color-rendering +crossorigin +cursor +cx +cy +d +decoding +diffuseConstant +direction +display +divisor +dominant-baseline +dur +dx +dy +edgeMode +elevation +end +exponent +fill +fill-opacity +fill-rule +filter +filterUnits +flood-color +flood-opacity +focusgroup +font-family +font-size +font-size-adjust +font-stretch +font-style +font-variant +font-weight +format +from +fx +fy +fr +g1 +g2 +glyphRef +gradientTransform +gradientUnits +height +href +image-rendering +in +in2 +intercept +interestaction +interesttarget +k +k1 +k2 +k3 +k4 +kernelMatrix +kernelUnitLength +keyPoints +keySplines +keyTimes +lang +lengthAdjust +letter-spacing +lighting-color +limitingConeAngle +local +marker-end +marker-mid +marker-start +markerHeight +markerUnits +markerWidth +mask +mask-type +maskContentUnits +maskUnits +max +media +method +min +mode +name +numOctaves +offset +onactivate +onbegin +onend +onfocusin +onfocusout +onrepeat +opacity +operator +order +orient +origin +overflow +paint-order +path +pathLength +patternContentUnits +patternTransform +patternUnits +pointer-events +points +pointsAtX +pointsAtY +pointsAtZ +preserveAlpha +preserveAspectRatio +primitiveUnits +r +radius +refX +refY +repeatCount +repeatDur +requiredExtensions +requiredFeatures +restart +result +rotate +rx +ry +scale +seed +shape-rendering +slope +spacing +specularConstant +specularExponent +spreadMethod +startOffset +stdDeviation +stitchTiles +stop-color +stop-opacity +stroke +stroke-dasharray +stroke-dashoffset +stroke-linecap +stroke-linejoin +stroke-miterlimit +stroke-opacity +stroke-width +style +surfaceScale +systemLanguage +tableValues +target +targetX +targetY +text-anchor +text-decoration +text-rendering +textLength +title +to +transform +transform-origin +type +u1 +u2 +unicode-bidi +values +vector-effect +version +viewBox +visibility +width +word-spacing +writing-mode +x +x1 +x2 +xChannelSelector +y +y1 +y2 +yChannelSelector +z +zoomAndPan +name: "actuate", "namespace": "http://www.w3.org/1999/xlink", +name: "arcrole", "namespace": "http://www.w3.org/1999/xlink", +name: "href", "namespace": "http://www.w3.org/1999/xlink", +name: role, "namespace": "http://www.w3.org/1999/xlink", +name: show, "namespace": "http://www.w3.org/1999/xlink", +name: title, "namespace": "http://www.w3.org/1999/xlink", +name: type, "namespace": "http://www.w3.org/1999/xlink", +name: lang, "namespace": "http://www.w3.org/XML/1998/namespace", +name: space, "namespace": "http://www.w3.org/XML/1998/namespace", +name: xmlns, "namespace": "http://www.w3.org/2000/xmlns/", From 4ff9fd54d7211f33e0a435fabb9f22fa26e78c3a Mon Sep 17 00:00:00 2001 From: Daniel Vogelheim Date: Thu, 12 Dec 2024 16:55:27 +0100 Subject: [PATCH 02/10] Add attributes --- lists.txt | 471 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 367 insertions(+), 104 deletions(-) diff --git a/lists.txt b/lists.txt index 482967b..0597eea 100644 --- a/lists.txt +++ b/lists.txt @@ -14,6 +14,7 @@ referenced standards, SVG + MathML), and assigns them to one of several groups: ## Script-ish ## script +noscript name: script, namespace: http://www.w3.org/2000/svg ## Frames ## @@ -23,133 +24,395 @@ frame frameset noframes -## Legacy ## +## Non-Conforming features https://html.spec.whatwg.org/#non-conforming-features ## applet +acronym +bgsound +keygen object embed noembed +param +plaintext +rb +rtc +basefont +big +center +nobr +marquee +strike +tt +font +dir +listing +xmp + +### Probably should be non-conforming feature ### + layer nolayer + ## Harmless ## -b -div +### Document element: https://html.spec.whatwg.org/#the-root-element ### + +html + +### Document metadata: https://html.spec.whatwg.org/#document-metadata ### + +head +title +link +- href +- crossorigin +- rel +- media +- integrity +- hreflang +- type +- referrerpolicy +- sizes +- imagesrcset +- imagesizes +- as +- blocking +- color +- disabled +- fetchpriority +- title // Is global, but has special semantics +style +- media +- blocking +- title // Is global, but has special semantics. + +### Sections: https://html.spec.whatwg.org/#sections ### + +body +- lots of on**** +article +section +nav +aside h1 h2 h3 h4 h5 h6 -i +hgroup +header +footer +address + +### Grouping Content: https://html.spec.whatwg.org/#grouping-content ### + p -span +hr +pre +blockquote +- cite +ol +- reversed +- start +- type +ul +menu +li +- value +dl +dt +dd +figure +figcaption +main +search +div + +### Text-level Semantics: https://html.spec.whatwg.org/#text-level-semantics ### + a +- href +- target +- download +- ping +- rel +- hreflang +- type +- referrerpolicy +em +strong +small +s +cite +q +dfn +- title // Is global, but has special semantics here. abbr -acronym -address -area -article -aside -audio +- title // Is global, but has special semantics here. +ruby +rt +rp +data +- value +time +- datetime +code +var +samp +kbd +sub +sup +i +b +u +mark bdi +- dir // Is global, but has special semantics here. bdo -big -blockquote -body +- dir // Is global, but has special semantics here. +span br -button -canvas +wbr + +### Links: https://html.spec.whatwg.org/#links ### + +### Edits: https://html.spec.whatwg.org/#edits ### + +ins +- cite +- datetime +del +- cite +- datetime + +### Embedded content: https://html.spec.whatwg.org/#embedded-content ### + +picture +source +- type +- media +- src +- srcset +- sizes +- width +- height +img +- alt +- src +- srcset +- sizes +- crossorigin +- usemap +- ismap +- width +- height +- referrerpolicy +- decoding +- loading +- fetchpriority +video +- src +- crossorigin +- poster +- preload +- autoplay +- playsinline +- loop +- muted +- controls +- width +- height +audio +- src +- crossorigin +- preload +- autoplay +- loop +- muted +- controls +track +- kind +- src +- srclang +- label +- default +map +- name +area +- alt +- coords +- shape +- href +- target +- download +- ping +- rel +- referrerpolicy + +### Tabular Data https://html.spec.whatwg.org/#tables ### + +table caption -center -cite -code -col colgroup -data -datalist -dd -del -details -dfn -dir -dialog -dl -dt -em -fieldset -figcaption -figure -font -footer +- span +col +- span +tbody +thead +tfoot +tr +td +- colspan +- rowspan +- headers +th +- colspan +- rowspan +- headers +- scope +- abbr + +### Forms https://html.spec.whatwg.org/#forms ### + form -head -header -hgroup -hr -html -img -input -ins -kbd +- accept-charset +- action +- autocomplete +- enctype +- method +- name +- novalidate +- target +- rel label -legend -li -link -listing -main -map -mark -marquee -menu -meter -nav -nobr -noscript -ol +- for +input +- accept +- alpha +- alt +- autocomplete +- checked +- colorspace +- dirname +- disabled +- form +- formaction +- formenctype +- formmethod +- formnovalidate +- formtarget +- height +- list +- max +- maxlength +- min +- minlength +- multiple +- name +- pattern +- placeholder +- popovertarget +- popovertargetaction +- readonly +- required +- size +- src +- step +- type +- value +- width +- title // Is global, but has special semantics here. +button +- disabled +- form +- formaction +- formenctype +- formmethod +- formnovalidate +- formtarget +- name +- popovertarget +- popovertagetaction +- type +- value +select +- autocomplete +- disabled +- form +- multiple +- name +- required +- size +datalist optgroup +- disabled +- label option +- disabled +- label +- selected +- value +textarea +- autocomplete +- cols +- dirname +- disabled +- form +- maxlength +- minlength +- name +- placeholder +- readonly +- required +- rows +- wrap output -picture -pre +- for +- form +- name progress -q -rp -rt -ruby -s -samp -search -section -select -slot -small -source -strike -strong -style -sub +- value +- max +meter +- value +- min +- max +- low +- high +- optimum +fieldset +- disabled +- form +- name +legend + +### Interactive Elements https://html.spec.whatwg.org/#interactive-elements ### + +details +- name +- open summary -sup -table -tbody -td +dialog +- open + +### Scripting ### + template -textarea -tfoot -th -thead -time -title -tr -track -tt -u -ul -var -video -wbr +- shadowrootmode +- shadowrootdelegatesfocus +- shadowrootclonable +- shadowrootserializable +slot +- name +canvas +- width +- height + +### SVG + MathML ### + name: a, namespace: http://www.w3.org/2000/svg name: circle, namespace: http://www.w3.org/2000/svg name: clipPath, namespace: http://www.w3.org/2000/svg @@ -236,20 +499,20 @@ name: munderover, namespace: http://www.w3.org/1998/Math/MathML ## Other ## base -basefont -bgsound +- href +- target +meta +- name +- http-quiv +- content +- charset +- media + command fencedframe image -keygen -meta -param permission -plaintext -rb -rtc selectedcontent -xmp name: annotation, "namespace": "http://www.w3.org/1998/Math/MathML", name: annotation-xml, "namespace": "http://www.w3.org/1998/Math/MathML", name: maction, "namespace": "http://www.w3.org/1998/Math/MathML", From 94a6ef736be0a33352e206b4c9bcacf12c32ba7b Mon Sep 17 00:00:00 2001 From: Daniel Vogelheim Date: Fri, 13 Dec 2024 15:29:43 +0100 Subject: [PATCH 03/10] Rework attributes. More standards references. --- lists.txt | 311 ++++++++++++++++++++++-------------------------------- 1 file changed, 128 insertions(+), 183 deletions(-) diff --git a/lists.txt b/lists.txt index 0597eea..3d67307 100644 --- a/lists.txt +++ b/lists.txt @@ -6,7 +6,7 @@ referenced standards, SVG + MathML), and assigns them to one of several groups: - other - script-ish - frames -- legacy +- legacy / non-conforming - harmless # Elements # @@ -23,6 +23,7 @@ iframe frame frameset noframes +fencedframe ## Non-Conforming features https://html.spec.whatwg.org/#non-conforming-features ## @@ -91,7 +92,6 @@ style ### Sections: https://html.spec.whatwg.org/#sections ### body -- lots of on**** article section nav @@ -177,8 +177,6 @@ span br wbr -### Links: https://html.spec.whatwg.org/#links ### - ### Edits: https://html.spec.whatwg.org/#edits ### ins @@ -398,7 +396,7 @@ summary dialog - open -### Scripting ### +### Scripting https://html.spec.whatwg.org/#scripting ### template - shadowrootmode @@ -509,7 +507,6 @@ meta - media command -fencedframe image permission selectedcontent @@ -538,19 +535,12 @@ name: glyphRef, namespace: http://www.w3.org/2000/svg ## Script-ish ## -onabort -onafterprint -onanimationstart -onanimationiteration -onanimationend +### Script-ish HTML global attributes https://html.spec.whatwg.org/#global-attributes ### + onauxclick -onbeforecopy -onbeforecut onbeforeinput -onbeforepaste -onbeforeprint +onbeforematch onbeforetoggle -onbeforeunload onblur oncancel oncanplay @@ -558,7 +548,6 @@ oncanplaythrough onchange onclick onclose -oncontentvisibilityautostatechange oncontextlost oncontextmenu oncontextrestored @@ -566,7 +555,6 @@ oncopy oncuechange oncut ondblclick -ondismiss ondrag ondragend ondragenter @@ -579,24 +567,16 @@ onemptied onended onerror onfocus -onfocusin -onfocusout onformdata -ongotpointercapture -onhashchange oninput oninvalid onkeydown onkeypress onkeyup -onlanguagechange onload onloadeddata onloadedmetadata onloadstart -onlostpointercapture -onmessage -onmessageerror onmousedown onmouseenter onmouseleave @@ -604,18 +584,84 @@ onmousemove onmouseout onmouseover onmouseup -onmousewheel -onmove -ononline -onoffline -onorientationchange -onoverscroll -onpagehide -onpageshow onpaste onpause onplay onplaying +onprogress +onratechange +onreset +onresize +onscroll +onscrollend +onsecuritypolicyviolation +onseeked +onseeking +onselect +onslotchange +onstalled +onsubmit +onsuspend +ontimeupdate +ontoggle +onvolumechange +onwaiting +onwheel + +### body element https://html.spec.whatwg.org/#the-body-element ### + +onafterprint +onbeforeprint +onbeforeunload +onhashchange +onlanguagechange +onmessage +onmessageerror +onoffline +ononline +onpageswap +onpagehide +onpagereveal +onpageshow +onpopstate +onrejectionhandled +onstorage +onunhandledrejection +onunload + +### +https://html.spec.whatwg.org/#event-handlers-on-elements,-document-objects,-and-window-objects +### + +onwebkitanimationstart +onwebkitanimationiteration +onwebkitanimationend +onwebkittransitionend +onwebkittransitionend +onwebkittransitionend +onreadystatechange +onvisibilitychange + +### other event handlers + +onabort +onanimationstart +onanimationiteration +onanimationend +onbeforecopy +onbeforecut +onbeforepaste +oncontentvisibilityautostatechange +ondismiss +onfocusin +onfocusout +ongotpointercapture +onhashchange +onlostpointercapture +onmousewheel +onmove +onorientationchange +onoverscroll onpointercancel onpointerdown onpointerenter @@ -625,79 +671,49 @@ onpointerout onpointerover onpointerrawupdate onpointerup -onpopstate -onprogress -onratechange -onreset -onresize onresolve -onscroll -onscrollend onsearch -onsecuritypolicyviolation -onseeked -onseeking -onselect onselectstart onselectionchange onshow -onslotchange onscrollsnapchange onscrollsnapchanging -onstalled -onstorage -onsuspend -onsubmit -ontimeupdate ontimezonechange -ontoggle ontouchstart ontouchmove ontouchend ontouchcancel ontransitionend -onunload onvalidationstatuschange -onvolumechange -onwaiting -onwebkitanimationstart -onwebkitanimationiteration -onwebkitanimationend onwebkitfullscreenchange onwebkitfullscreenerror -onwebkittransitionend -onwheel -## Other ## +## ARIA https://www.w3.org/TR/wai-aria-1.2/#state_prop_def ## -aria-actions aria-activedescendant aria-atomic aria-autocomplete -aria-braillelabel -aria-brailleroledescription aria-busy aria-checked aria-colcount aria-colindex -aria-colindextext aria-colspan aria-controls aria-current aria-describedby -aria-description aria-details aria-disabled +aria-dropeffect aria-errormessage aria-expanded aria-flowto +aria-grabbed aria-haspopup aria-hidden aria-invalid aria-keyshortcuts aria-label aria-labelledby -aria-labeledby aria-level aria-live aria-modal @@ -714,7 +730,6 @@ aria-required aria-roledescription aria-rowcount aria-rowindex -aria-rowindextext aria-rowspan aria-selected aria-setsize @@ -723,34 +738,65 @@ aria-valuemax aria-valuemin aria-valuenow aria-valuetext + +## ARIA 1.3 draft additions https://w3c.github.io/aria/ ### + +aria-braillelabel +aria-brailleroledescription +aria-colindextext +aria-rowindextext + +## ARIA: no idea ## + +aria-actions +aria-labeledby aria-virtualcontent -abbr -accept-charset -accept + +### HTML global attributes ### + accesskey -action +autocapitalize +autocorrect +autofocus +contenteditable +dir +draggable +enterkeyhint +hidden +inert +inputmode +is +itemid +itemprop +itemref +itemscope +itemtype +lang +nonce +popover +spellcheck +style +tabindex +title +translate +writingsuggestions + +## Other ## + adauctionheaders align alink allow allowfullscreen allowpaymentrequest -alt anchor archive -as async attributionsrc -autocapitalize -autocomplete -autocorrect -autofocus -autoplay axis background behavior bgcolor -blocking border bordercolor browsingtopics @@ -761,8 +807,6 @@ char challenge charoff charset -checked -cite class classid clear @@ -770,140 +814,66 @@ closedby code codebase codetype -color -cols -colspan command commandfor compact content -contenteditable -controls controlslist coords credentialless -crossorigin csp data data-src -datetime declare -decoding -default defer delegatesfocus -dir direction -dirname -disabled disablepictureinpicture disableremoteplayback -download -draggable elementtiming -enctype end -enterkeyhint event exportparts face -fetchpriority -focusgroup -for -form -formaction -formenctype -formmethod -formnovalidate -formtarget +focusgroupp frame frameborder -headers -height -hidden -high -href -hreflang hreftranslate hspace http-equiv id -imagesizes -imagesrcset incremental -inert -inputmode -integrity interestaction interesttarget -is -ismap itemprop keytype -kind invisible -label -lang language latencyhint leftmargin link -list -loading longdesc -loop -low lowsrc manifest marginheight marginwidth -max -maxlength mayscript -media -method -min -minlength -multiple -muted -name nohref nomodule -nonce noresize noshade -novalidate nowrap -object -open -optimum +objectp parseparts part -pattern -placeholder -playsinline -ping policy -popover -popovertarget -popovertargetaction -poster -preload property pseudo -readonly -referrerpolicy -rel -required rev -reversed role -rows -rowspan rules sandbox scheme -scope scrollamount scrolldelay scrolling @@ -911,49 +881,25 @@ select selected selectedcontentelement shadowroot -shadowrootmode -shadowrootclonable -shadowrootdelegatesfocus shadowrootreferencetarget -shadowrootserializable -shape sharedstoragewritable -size -sizes slot -span -spellcheck -src -srcset srcdoc srclang standby -start -step -style summary -tabindex -target text -title topmargin -translate truespeed preciselocation privatetoken -type -usemap valign -value valuetype version vlink vspace virtualkeyboardpolicy webkitdirectory -width -wrap -writingsuggestions accent accentunder columnspan @@ -963,7 +909,6 @@ display displaystyle encoding form -height largeop linethickness lspace From c2f6465a0cb79102ca583f4324182b56f527741f Mon Sep 17 00:00:00 2001 From: Daniel Vogelheim Date: Fri, 13 Dec 2024 17:33:17 +0100 Subject: [PATCH 04/10] Complete ARIA attributes. --- lists.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lists.txt b/lists.txt index 3d67307..6f868e6 100644 --- a/lists.txt +++ b/lists.txt @@ -738,6 +738,7 @@ aria-valuemax aria-valuemin aria-valuenow aria-valuetext +aria-labeledby // See note "labeledby" in spec. ## ARIA 1.3 draft additions https://w3c.github.io/aria/ ### @@ -746,11 +747,10 @@ aria-brailleroledescription aria-colindextext aria-rowindextext -## ARIA: no idea ## +## ARIA: in development ## -aria-actions -aria-labeledby -aria-virtualcontent +aria-actions // https://github.com/w3c/aria/pull/1805 +aria-virtualcontent // https://github.com/WICG/accessible-loading-and-searching-of-content/blob/main/explainer.md ### HTML global attributes ### From 8ba0ee6ca226e5fda39d6935b5c19d4c3f70344e Mon Sep 17 00:00:00 2001 From: Daniel Vogelheim Date: Wed, 18 Dec 2024 16:41:04 +0100 Subject: [PATCH 05/10] Review feedback. --- .github/workflows/pr-push.yml | 5 + .gitignore | 1 + builtins/safe-baseline-configuration.json | 147 +++ builtins/safe-default-configuration.py | 42 + builtins/safe-default-configuration.txt | 171 +++ index.bs | 25 +- lists.txt | 1145 ------------------ resources/baseline-attribute-allow-list.json | 213 ---- resources/baseline-element-allow-list.json | 130 -- resources/default-configuration.json | 755 ------------ 10 files changed, 376 insertions(+), 2258 deletions(-) create mode 100644 builtins/safe-baseline-configuration.json create mode 100644 builtins/safe-default-configuration.py create mode 100644 builtins/safe-default-configuration.txt delete mode 100644 lists.txt delete mode 100644 resources/baseline-attribute-allow-list.json delete mode 100644 resources/baseline-element-allow-list.json delete mode 100644 resources/default-configuration.json diff --git a/.github/workflows/pr-push.yml b/.github/workflows/pr-push.yml index a647524..17d81ec 100644 --- a/.github/workflows/pr-push.yml +++ b/.github/workflows/pr-push.yml @@ -9,6 +9,11 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + - uses: actions/setup-python@v4 + with: + python-version: '3.10' + - name: Generate safe-default-configuration.json + run: python builtins/safe-default-configuration.py --input builtins/safe-default-configuration.txt --out builtins/safe-default-configuration.json - uses: w3c/spec-prod@v2 with: GH_PAGES_BRANCH: gh-pages diff --git a/.gitignore b/.gitignore index 5a11222..6447cea 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /.project /out /*.ninja* +/builtins/safe-default-configuration.json diff --git a/builtins/safe-baseline-configuration.json b/builtins/safe-baseline-configuration.json new file mode 100644 index 0000000..410035f --- /dev/null +++ b/builtins/safe-baseline-configuration.json @@ -0,0 +1,147 @@ +{ + "removeElements": [ + { + "namespace": "http://www.w3.org/1999/xhtml", + "name": "script" + }, + { + "namespace": "http://www.w3.org/2000/svg", + "name": "script" + } + ], + "removeAttributes": [ + "onabort", + "onactivate", + "onafterprint", + "onanimationend", + "onanimationiteration", + "onanimationstart", + "onauxclick", + "onbeforecopy", + "onbeforecut", + "onbeforeinput", + "onbeforepaste", + "onbeforeprint", + "onbeforetoggle", + "onbeforeunload", + "onbegin", + "onblur", + "oncancel", + "oncanplay", + "oncanplaythrough", + "onchange", + "onclick", + "onclose", + "oncontentvisibilityautostatechange", + "oncontextlost", + "oncontextmenu", + "oncontextrestored", + "oncopy", + "oncuechange", + "oncut", + "ondblclick", + "ondismiss", + "ondrag", + "ondragend", + "ondragenter", + "ondragleave", + "ondragover", + "ondragstart", + "ondrop", + "ondurationchange", + "onemptied", + "onend", + "onended", + "onerror", + "onfocus", + "onfocusin", + "onfocusout", + "onformdata", + "ongotpointercapture", + "onhashchange", + "oninput", + "oninvalid", + "onkeydown", + "onkeypress", + "onkeyup", + "onlanguagechange", + "onload", + "onloadeddata", + "onloadedmetadata", + "onloadstart", + "onlostpointercapture", + "onmessage", + "onmessageerror", + "onmousedown", + "onmouseenter", + "onmouseleave", + "onmousemove", + "onmouseout", + "onmouseover", + "onmouseup", + "onmousewheel", + "onmove", + "onoffline", + "ononline", + "onorientationchange", + "onoverscroll", + "onpagehide", + "onpageshow", + "onpaste", + "onpause", + "onplay", + "onplaying", + "onpointercancel", + "onpointerdown", + "onpointerenter", + "onpointerleave", + "onpointermove", + "onpointerout", + "onpointerover", + "onpointerrawupdate", + "onpointerup", + "onpopstate", + "onprogress", + "onratechange", + "onrepeat", + "onreset", + "onresize", + "onresolve", + "onscroll", + "onscrollend", + "onscrollsnapchange", + "onscrollsnapchanging", + "onsearch", + "onsecuritypolicyviolation", + "onseeked", + "onseeking", + "onselect", + "onselectionchange", + "onselectstart", + "onshow", + "onslotchange", + "onstalled", + "onstorage", + "onsubmit", + "onsuspend", + "ontimeupdate", + "ontimezonechange", + "ontoggle", + "ontouchcancel", + "ontouchend", + "ontouchmove", + "ontouchstart", + "ontransitionend", + "onunload", + "onvalidationstatuschange", + "onvolumechange", + "onwaiting", + "onwebkitanimationend", + "onwebkitanimationiteration", + "onwebkitanimationstart", + "onwebkitfullscreenchange", + "onwebkitfullscreenerror", + "onwebkittransitionend", + "onwheel" + ] +} diff --git a/builtins/safe-default-configuration.py b/builtins/safe-default-configuration.py new file mode 100644 index 0000000..61996fd --- /dev/null +++ b/builtins/safe-default-configuration.py @@ -0,0 +1,42 @@ +# Sanitizer API - Build configuration dictionary from text file. + +import json +import argparse +import sys + +def main(): + parser = argparse.ArgumentParser() + parser.add_argument("--input", type=argparse.FileType('r'), required=True) + parser.add_argument("--out", type=argparse.FileType('w'), required=True) + args = parser.parse_args() + + try: + lines = args.input.read() + except BaseException as err: + parser.error("Cannot read from --input file.") + + result = { "elements": [], "attributes": [] } + current = [] + for line in lines.split("\n"): + if not line: + pass + elif line.startswith("//"): + pass + elif line.startswith("- "): + current.append({ "name": line[2:], "namespace": None }) + elif line == "[HTML Global]": + current = result["attributes"] + else: + elem = { "name": line, "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] } + result["elements"].append(elem) + current = elem["attributes"] + + try: + json.dump(result, args.out, indent=2) + except BaseException as err: + parser.error("Cannot write to --out file.") + return 0 + +if __name__ == "__main__": + main() diff --git a/builtins/safe-default-configuration.txt b/builtins/safe-default-configuration.txt new file mode 100644 index 0000000..7c8850b --- /dev/null +++ b/builtins/safe-default-configuration.txt @@ -0,0 +1,171 @@ +// Document element +// https://html.spec.whatwg.org/#the-root-element + +html + +// Document metadata +// https://html.spec.whatwg.org/#document-metadata + +head +title + +// meta and link, purposely omitted + +// Sections +// https://html.spec.whatwg.org/#sections + +body +article +section +nav +aside +h1 +h2 +h3 +h4 +h5 +h6 +hgroup +header +footer +address + +// Grouping Content +// https://html.spec.whatwg.org/#grouping-content + +p +hr +pre +blockquote +- cite +ol +- reversed +- start +- type +ul +menu +li +- value +dl +dt +dd +figure +figcaption +main +search +div + +// Text-level Semantics +// https://html.spec.whatwg.org/#text-level-semantics ### + +a +- href +- rel +- hreflang +- type +// Purposely omitted: +// - target +// - download +// - referrerpolicy +// - ping +em +strong +small +s +cite +q +dfn +- title +abbr +- title +ruby +rt +rp +data +- value +time +- datetime +code +var +samp +kbd +sub +sup +i +b +u +mark +bdi +- dir +bdo +- dir +span +br +wbr + +// Edits +// https://html.spec.whatwg.org/#edits + +ins +- cite +- datetime +del +- cite +- datetime + +// Embedded content +// https://html.spec.whatwg.org/#embedded-content +// +// Purposely omitted. + +// Tabular Data +// https://html.spec.whatwg.org/#tables + +table +caption +colgroup +- span +col +- span +tbody +thead +tfoot +tr +td +- colspan +- rowspan +- headers +th +- colspan +- rowspan +- headers +- scope +- abbr + +// Forms +// https://html.spec.whatwg.org/#forms +// +// Purposely omitted + +// Interactive Elements +// https://html.spec.whatwg.org/#interactive-elements +// +// Purposly omitted. + +// Scripting +// https://html.spec.whatwg.org/#scripting +// +// Purposely omitted. + +// SVG: TBD +// MathML: TDB + +// HTML global attributes +// +// Selection of attributes. Most are purposely omitted. + +[HTML Global] +- dir +- lang +- title + diff --git a/index.bs b/index.bs index e758d55..23c6ec1 100644 --- a/index.bs +++ b/index.bs @@ -718,24 +718,19 @@ There are three builtins: * the [=built-in navigating URL attributes list=]. The built-in safe default configuration is as follows: -``` -{ - elements: [ ... ], - attributes: [ ... ], -} -``` + +
+path: builtins/safe-default-configuration.json
+highlight: json
+
The built-in safe baseline configuration is meant to block only script-content, and nothing else. It is as follows: -``` -{ - removeElements: [ - { name: "script", namespace: "http://www.w3.org/1999/xhtml" }, - { name: "script", namespace: "http://www.w3.org/2000/svg" } - ], - removeAttributes: [....], -} -``` + +
+path: builtins/safe-baseline-configuration.json
+highlight: json
+
The built-in navigating URL attributes list, for which "`javascript:`" diff --git a/lists.txt b/lists.txt deleted file mode 100644 index 6f868e6..0000000 --- a/lists.txt +++ /dev/null @@ -1,1145 +0,0 @@ -# Elements & attributes # - -This "mostly free-form" document lists elements + attributes in HTML (and -referenced standards, SVG + MathML), and assigns them to one of several groups: - -- other -- script-ish -- frames -- legacy / non-conforming -- harmless - -# Elements # - -## Script-ish ## - -script -noscript -name: script, namespace: http://www.w3.org/2000/svg - -## Frames ## - -iframe -frame -frameset -noframes -fencedframe - -## Non-Conforming features https://html.spec.whatwg.org/#non-conforming-features ## - -applet -acronym -bgsound -keygen -object -embed -noembed -param -plaintext -rb -rtc -basefont -big -center -nobr -marquee -strike -tt -font -dir -listing -xmp - -### Probably should be non-conforming feature ### - -layer -nolayer - - -## Harmless ## - -### Document element: https://html.spec.whatwg.org/#the-root-element ### - -html - -### Document metadata: https://html.spec.whatwg.org/#document-metadata ### - -head -title -link -- href -- crossorigin -- rel -- media -- integrity -- hreflang -- type -- referrerpolicy -- sizes -- imagesrcset -- imagesizes -- as -- blocking -- color -- disabled -- fetchpriority -- title // Is global, but has special semantics -style -- media -- blocking -- title // Is global, but has special semantics. - -### Sections: https://html.spec.whatwg.org/#sections ### - -body -article -section -nav -aside -h1 -h2 -h3 -h4 -h5 -h6 -hgroup -header -footer -address - -### Grouping Content: https://html.spec.whatwg.org/#grouping-content ### - -p -hr -pre -blockquote -- cite -ol -- reversed -- start -- type -ul -menu -li -- value -dl -dt -dd -figure -figcaption -main -search -div - -### Text-level Semantics: https://html.spec.whatwg.org/#text-level-semantics ### - -a -- href -- target -- download -- ping -- rel -- hreflang -- type -- referrerpolicy -em -strong -small -s -cite -q -dfn -- title // Is global, but has special semantics here. -abbr -- title // Is global, but has special semantics here. -ruby -rt -rp -data -- value -time -- datetime -code -var -samp -kbd -sub -sup -i -b -u -mark -bdi -- dir // Is global, but has special semantics here. -bdo -- dir // Is global, but has special semantics here. -span -br -wbr - -### Edits: https://html.spec.whatwg.org/#edits ### - -ins -- cite -- datetime -del -- cite -- datetime - -### Embedded content: https://html.spec.whatwg.org/#embedded-content ### - -picture -source -- type -- media -- src -- srcset -- sizes -- width -- height -img -- alt -- src -- srcset -- sizes -- crossorigin -- usemap -- ismap -- width -- height -- referrerpolicy -- decoding -- loading -- fetchpriority -video -- src -- crossorigin -- poster -- preload -- autoplay -- playsinline -- loop -- muted -- controls -- width -- height -audio -- src -- crossorigin -- preload -- autoplay -- loop -- muted -- controls -track -- kind -- src -- srclang -- label -- default -map -- name -area -- alt -- coords -- shape -- href -- target -- download -- ping -- rel -- referrerpolicy - -### Tabular Data https://html.spec.whatwg.org/#tables ### - -table -caption -colgroup -- span -col -- span -tbody -thead -tfoot -tr -td -- colspan -- rowspan -- headers -th -- colspan -- rowspan -- headers -- scope -- abbr - -### Forms https://html.spec.whatwg.org/#forms ### - -form -- accept-charset -- action -- autocomplete -- enctype -- method -- name -- novalidate -- target -- rel -label -- for -input -- accept -- alpha -- alt -- autocomplete -- checked -- colorspace -- dirname -- disabled -- form -- formaction -- formenctype -- formmethod -- formnovalidate -- formtarget -- height -- list -- max -- maxlength -- min -- minlength -- multiple -- name -- pattern -- placeholder -- popovertarget -- popovertargetaction -- readonly -- required -- size -- src -- step -- type -- value -- width -- title // Is global, but has special semantics here. -button -- disabled -- form -- formaction -- formenctype -- formmethod -- formnovalidate -- formtarget -- name -- popovertarget -- popovertagetaction -- type -- value -select -- autocomplete -- disabled -- form -- multiple -- name -- required -- size -datalist -optgroup -- disabled -- label -option -- disabled -- label -- selected -- value -textarea -- autocomplete -- cols -- dirname -- disabled -- form -- maxlength -- minlength -- name -- placeholder -- readonly -- required -- rows -- wrap -output -- for -- form -- name -progress -- value -- max -meter -- value -- min -- max -- low -- high -- optimum -fieldset -- disabled -- form -- name -legend - -### Interactive Elements https://html.spec.whatwg.org/#interactive-elements ### - -details -- name -- open -summary -dialog -- open - -### Scripting https://html.spec.whatwg.org/#scripting ### - -template -- shadowrootmode -- shadowrootdelegatesfocus -- shadowrootclonable -- shadowrootserializable -slot -- name -canvas -- width -- height - -### SVG + MathML ### - -name: a, namespace: http://www.w3.org/2000/svg -name: circle, namespace: http://www.w3.org/2000/svg -name: clipPath, namespace: http://www.w3.org/2000/svg -name: defs, namespace: http://www.w3.org/2000/svg -name: desc, namespace: http://www.w3.org/2000/svg -name: ellipse, namespace: http://www.w3.org/2000/svg -name: feBlend, namespace: http://www.w3.org/2000/svg -name: feColorMatrix, namespace: http://www.w3.org/2000/svg -name: feComponentTransfer, namespace: http://www.w3.org/2000/svg -name: feComposite, namespace: http://www.w3.org/2000/svg -name: feConvolveMatrix, namespace: http://www.w3.org/2000/svg -name: feDiffuseLighting, namespace: http://www.w3.org/2000/svg -name: feDisplacementMap, namespace: http://www.w3.org/2000/svg -name: feDistantLight, namespace: http://www.w3.org/2000/svg -name: feFlood, namespace: http://www.w3.org/2000/svg -name: feFuncA, namespace: http://www.w3.org/2000/svg -name: feFuncB, namespace: http://www.w3.org/2000/svg -name: feFuncG, namespace: http://www.w3.org/2000/svg -name: feFuncR, namespace: http://www.w3.org/2000/svg -name: feGaussianBlur, namespace: http://www.w3.org/2000/svg -name: feImage, namespace: http://www.w3.org/2000/svg -name: feMerge, namespace: http://www.w3.org/2000/svg -name: feMergeNode, namespace: http://www.w3.org/2000/svg -name: feMorphology, namespace: http://www.w3.org/2000/svg -name: feOffset, namespace: http://www.w3.org/2000/svg -name: fePointLight, namespace: http://www.w3.org/2000/svg -name: feSpecularLighting, namespace: http://www.w3.org/2000/svg -name: feSpotLight, namespace: http://www.w3.org/2000/svg -name: feTile, namespace: http://www.w3.org/2000/svg -name: feTurbulence, namespace: http://www.w3.org/2000/svg -name: filter, namespace: http://www.w3.org/2000/svg -name: g, namespace: http://www.w3.org/2000/svg -name: image, namespace: http://www.w3.org/2000/svg -name: line, namespace: http://www.w3.org/2000/svg -name: linearGradient, namespace: http://www.w3.org/2000/svg -name: marker, namespace: http://www.w3.org/2000/svg -name: mask, namespace: http://www.w3.org/2000/svg -name: metadata, namespace: http://www.w3.org/2000/svg -name: mpath, namespace: http://www.w3.org/2000/svg -name: path, namespace: http://www.w3.org/2000/svg -name: pattern, namespace: http://www.w3.org/2000/svg -name: polygon, namespace: http://www.w3.org/2000/svg -name: polyline, namespace: http://www.w3.org/2000/svg -name: radialGradient, namespace: http://www.w3.org/2000/svg -name: rect, namespace: http://www.w3.org/2000/svg -name: stop, namespace: http://www.w3.org/2000/svg -name: svg, namespace: http://www.w3.org/2000/svg -name: switch, namespace: http://www.w3.org/2000/svg -name: symbol, namespace: http://www.w3.org/2000/svg -name: text, namespace: http://www.w3.org/2000/svg -name: textPath, namespace: http://www.w3.org/2000/svg -name: title, namespace: http://www.w3.org/2000/svg -name: tspan, namespace: http://www.w3.org/2000/svg -name: view, namespace: http://www.w3.org/2000/svg -name: math, "namespace": "http://www.w3.org/1998/Math/MathML", -name: menclose, namespace: http://www.w3.org/1998/Math/MathML -name: merror, "namespace": "http://www.w3.org/1998/Math/MathML", -name: mfenced, namespace: http://www.w3.org/1998/Math/MathML -name: mfrac, "namespace": "http://www.w3.org/1998/Math/MathML", -name: mglyph, "namespace": "http://www.w3.org/1998/Math/MathML", -name: mmultiscripts, "namespace": "http://www.w3.org/1998/Math/MathML", -name: mi, "namespace": "http://www.w3.org/1998/Math/MathML", -name: mn, "namespace": "http://www.w3.org/1998/Math/MathML", -name: mo "namespace": "http://www.w3.org/1998/Math/MathML", -name: mpadded "namespace": "http://www.w3.org/1998/Math/MathML", -name: mphantom, namespace: http://www.w3.org/1998/Math/MathML -name: mroot, "namespace": "http://www.w3.org/1998/Math/MathML", -name: mrow, namespace: http://www.w3.org/1998/Math/MathML -name: ms, namespace: http://www.w3.org/1998/Math/MathML -name: mspace, namespace: http://www.w3.org/1998/Math/MathML -name: msqrt, "namespace": "http://www.w3.org/1998/Math/MathML", -name: mstyle, namespace: http://www.w3.org/1998/Math/MathML -name: msub, "namespace": "http://www.w3.org/1998/Math/MathML", -name: msup, "namespace": "http://www.w3.org/1998/Math/MathML", -name: msubsup, "namespace": "http://www.w3.org/1998/Math/MathML", -name: mtable, namespace: http://www.w3.org/1998/Math/MathML -name: mtd, namespace: http://www.w3.org/1998/Math/MathML -name: mtr, namespace: http://www.w3.org/1998/Math/MathML -name: mtext, namespace: http://www.w3.org/1998/Math/MathML -name: mover, namespace: http://www.w3.org/1998/Math/MathML -name: munder, namespace: http://www.w3.org/1998/Math/MathML -name: munderover, namespace: http://www.w3.org/1998/Math/MathML - -## Other ## - -base -- href -- target -meta -- name -- http-quiv -- content -- charset -- media - -command -image -permission -selectedcontent -name: annotation, "namespace": "http://www.w3.org/1998/Math/MathML", -name: annotation-xml, "namespace": "http://www.w3.org/1998/Math/MathML", -name: maction, "namespace": "http://www.w3.org/1998/Math/MathML", -name: malignmark, "namespace": "http://www.w3.org/1998/Math/MathML", -name: mprescripts, "namespace": "http://www.w3.org/1998/Math/MathML", -name: semantics, namespace: http://www.w3.org/1998/Math/MathML -name: none, namespace: http://www.w3.org/1998/Math/MathML -name: animate, namespace: http://www.w3.org/2000/svg -name: animateColor, namespace: http://www.w3.org/2000/svg -name: animateMotion, namespace: http://www.w3.org/2000/svg -name: animateTransform, namespace: http://www.w3.org/2000/svg -name: set, namespace: http://www.w3.org/2000/svg -name: feDropShadow, namespace: http://www.w3.org/2000/svg -name: foreignObject, namespace: http://www.w3.org/2000/svg -name: style, namespace: http://www.w3.org/2000/svg -name: use, namespace: http://www.w3.org/2000/svg -name: font, namespace: http://www.w3.org/2000/svg -name: tref, namespace: http://www.w3.org/2000/svg -name: glyph, namespace: http://www.w3.org/2000/svg -name: glyphRef, namespace: http://www.w3.org/2000/svg - -# Attributes # - -## Script-ish ## - -### Script-ish HTML global attributes https://html.spec.whatwg.org/#global-attributes ### - -onauxclick -onbeforeinput -onbeforematch -onbeforetoggle -onblur -oncancel -oncanplay -oncanplaythrough -onchange -onclick -onclose -oncontextlost -oncontextmenu -oncontextrestored -oncopy -oncuechange -oncut -ondblclick -ondrag -ondragend -ondragenter -ondragleave -ondragover -ondragstart -ondrop -ondurationchange -onemptied -onended -onerror -onfocus -onformdata -oninput -oninvalid -onkeydown -onkeypress -onkeyup -onload -onloadeddata -onloadedmetadata -onloadstart -onmousedown -onmouseenter -onmouseleave -onmousemove -onmouseout -onmouseover -onmouseup -onpaste -onpause -onplay -onplaying -onprogress -onratechange -onreset -onresize -onscroll -onscrollend -onsecuritypolicyviolation -onseeked -onseeking -onselect -onslotchange -onstalled -onsubmit -onsuspend -ontimeupdate -ontoggle -onvolumechange -onwaiting -onwheel - -### body element https://html.spec.whatwg.org/#the-body-element ### - -onafterprint -onbeforeprint -onbeforeunload -onhashchange -onlanguagechange -onmessage -onmessageerror -onoffline -ononline -onpageswap -onpagehide -onpagereveal -onpageshow -onpopstate -onrejectionhandled -onstorage -onunhandledrejection -onunload - -### -https://html.spec.whatwg.org/#event-handlers-on-elements,-document-objects,-and-window-objects -### - -onwebkitanimationstart -onwebkitanimationiteration -onwebkitanimationend -onwebkittransitionend -onwebkittransitionend -onwebkittransitionend -onreadystatechange -onvisibilitychange - -### other event handlers - -onabort -onanimationstart -onanimationiteration -onanimationend -onbeforecopy -onbeforecut -onbeforepaste -oncontentvisibilityautostatechange -ondismiss -onfocusin -onfocusout -ongotpointercapture -onhashchange -onlostpointercapture -onmousewheel -onmove -onorientationchange -onoverscroll -onpointercancel -onpointerdown -onpointerenter -onpointerleave -onpointermove -onpointerout -onpointerover -onpointerrawupdate -onpointerup -onresolve -onsearch -onselectstart -onselectionchange -onshow -onscrollsnapchange -onscrollsnapchanging -ontimezonechange -ontouchstart -ontouchmove -ontouchend -ontouchcancel -ontransitionend -onvalidationstatuschange -onwebkitfullscreenchange -onwebkitfullscreenerror - -## ARIA https://www.w3.org/TR/wai-aria-1.2/#state_prop_def ## - -aria-activedescendant -aria-atomic -aria-autocomplete -aria-busy -aria-checked -aria-colcount -aria-colindex -aria-colspan -aria-controls -aria-current -aria-describedby -aria-details -aria-disabled -aria-dropeffect -aria-errormessage -aria-expanded -aria-flowto -aria-grabbed -aria-haspopup -aria-hidden -aria-invalid -aria-keyshortcuts -aria-label -aria-labelledby -aria-level -aria-live -aria-modal -aria-multiline -aria-multiselectable -aria-orientation -aria-owns -aria-placeholder -aria-posinset -aria-pressed -aria-readonly -aria-relevant -aria-required -aria-roledescription -aria-rowcount -aria-rowindex -aria-rowspan -aria-selected -aria-setsize -aria-sort -aria-valuemax -aria-valuemin -aria-valuenow -aria-valuetext -aria-labeledby // See note "labeledby" in spec. - -## ARIA 1.3 draft additions https://w3c.github.io/aria/ ### - -aria-braillelabel -aria-brailleroledescription -aria-colindextext -aria-rowindextext - -## ARIA: in development ## - -aria-actions // https://github.com/w3c/aria/pull/1805 -aria-virtualcontent // https://github.com/WICG/accessible-loading-and-searching-of-content/blob/main/explainer.md - -### HTML global attributes ### - -accesskey -autocapitalize -autocorrect -autofocus -contenteditable -dir -draggable -enterkeyhint -hidden -inert -inputmode -is -itemid -itemprop -itemref -itemscope -itemtype -lang -nonce -popover -spellcheck -style -tabindex -title -translate -writingsuggestions - -## Other ## - -adauctionheaders -align -alink -allow -allowfullscreen -allowpaymentrequest -anchor -archive -async -attributionsrc -axis -background -behavior -bgcolor -border -bordercolor -browsingtopics -capture -cellpadding -cellspacing -char -challenge -charoff -charset -class -classid -clear -closedby -code -codebase -codetype -command -commandfor -compact -content -controlslist -coords -credentialless -csp -data -data-src -declare -defer -delegatesfocus -direction -disablepictureinpicture -disableremoteplayback -elementtiming -end -event -exportparts -face -focusgroupp -frame -frameborder -hreftranslate -hspace -http-equiv -id -incremental -interestaction -interesttarget -itemprop -keytype -invisible -language -latencyhint -leftmargin -link -longdesc -lowsrc -manifest -marginheight -marginwidth -mayscript -nohref -nomodule -noresize -noshade -nowrap -objectp -parseparts -part -policy -property -pseudo -rev -role -rules -sandbox -scheme -scrollamount -scrolldelay -scrolling -select -selected -selectedcontentelement -shadowroot -shadowrootreferencetarget -sharedstoragewritable -slot -srcdoc -srclang -standby -summary -text -topmargin -truespeed -preciselocation -privatetoken -valign -valuetype -version -vlink -vspace -virtualkeyboardpolicy -webkitdirectory -accent -accentunder -columnspan -definitionURL -depth -display -displaystyle -encoding -form -largeop -linethickness -lspace -mathbackground -mathcolor -mathsize -mathvariant -maxsize -minsize -movablelimits -rowspan -rspace -scriptlevel -stretchy -symmetric -voffset -width -accumulate -additive -alignment-baseline -amplitude -animate -attributeName -attributeType -autofocus -azimuth -baseFrequency -baseline-shift -baseProfile -begin -bias -buffered-rendering -by -calcMode -clip -clip-path -clip-rule -clipPathUnits -color -color-interpolation -color-interpolation-filters -color-rendering -crossorigin -cursor -cx -cy -d -decoding -diffuseConstant -direction -display -divisor -dominant-baseline -dur -dx -dy -edgeMode -elevation -end -exponent -fill -fill-opacity -fill-rule -filter -filterUnits -flood-color -flood-opacity -focusgroup -font-family -font-size -font-size-adjust -font-stretch -font-style -font-variant -font-weight -format -from -fx -fy -fr -g1 -g2 -glyphRef -gradientTransform -gradientUnits -height -href -image-rendering -in -in2 -intercept -interestaction -interesttarget -k -k1 -k2 -k3 -k4 -kernelMatrix -kernelUnitLength -keyPoints -keySplines -keyTimes -lang -lengthAdjust -letter-spacing -lighting-color -limitingConeAngle -local -marker-end -marker-mid -marker-start -markerHeight -markerUnits -markerWidth -mask -mask-type -maskContentUnits -maskUnits -max -media -method -min -mode -name -numOctaves -offset -onactivate -onbegin -onend -onfocusin -onfocusout -onrepeat -opacity -operator -order -orient -origin -overflow -paint-order -path -pathLength -patternContentUnits -patternTransform -patternUnits -pointer-events -points -pointsAtX -pointsAtY -pointsAtZ -preserveAlpha -preserveAspectRatio -primitiveUnits -r -radius -refX -refY -repeatCount -repeatDur -requiredExtensions -requiredFeatures -restart -result -rotate -rx -ry -scale -seed -shape-rendering -slope -spacing -specularConstant -specularExponent -spreadMethod -startOffset -stdDeviation -stitchTiles -stop-color -stop-opacity -stroke -stroke-dasharray -stroke-dashoffset -stroke-linecap -stroke-linejoin -stroke-miterlimit -stroke-opacity -stroke-width -style -surfaceScale -systemLanguage -tableValues -target -targetX -targetY -text-anchor -text-decoration -text-rendering -textLength -title -to -transform -transform-origin -type -u1 -u2 -unicode-bidi -values -vector-effect -version -viewBox -visibility -width -word-spacing -writing-mode -x -x1 -x2 -xChannelSelector -y -y1 -y2 -yChannelSelector -z -zoomAndPan -name: "actuate", "namespace": "http://www.w3.org/1999/xlink", -name: "arcrole", "namespace": "http://www.w3.org/1999/xlink", -name: "href", "namespace": "http://www.w3.org/1999/xlink", -name: role, "namespace": "http://www.w3.org/1999/xlink", -name: show, "namespace": "http://www.w3.org/1999/xlink", -name: title, "namespace": "http://www.w3.org/1999/xlink", -name: type, "namespace": "http://www.w3.org/1999/xlink", -name: lang, "namespace": "http://www.w3.org/XML/1998/namespace", -name: space, "namespace": "http://www.w3.org/XML/1998/namespace", -name: xmlns, "namespace": "http://www.w3.org/2000/xmlns/", diff --git a/resources/baseline-attribute-allow-list.json b/resources/baseline-attribute-allow-list.json deleted file mode 100644 index 1b7bee6..0000000 --- a/resources/baseline-attribute-allow-list.json +++ /dev/null @@ -1,213 +0,0 @@ -[ - "abbr", - "accept", - "accept-charset", - "accesskey", - "action", - "align", - "alink", - "allow", - "allowfullscreen", - "allowpaymentrequest", - "alt", - "anchor", - "archive", - "as", - "async", - "autocapitalize", - "autocomplete", - "autocorrect", - "autofocus", - "autopictureinpicture", - "autoplay", - "axis", - "background", - "behavior", - "bgcolor", - "border", - "bordercolor", - "capture", - "cellpadding", - "cellspacing", - "challenge", - "char", - "charoff", - "charset", - "checked", - "cite", - "class", - "classid", - "clear", - "code", - "codebase", - "codetype", - "color", - "cols", - "colspan", - "compact", - "content", - "contenteditable", - "controls", - "controlslist", - "conversiondestination", - "coords", - "crossorigin", - "csp", - "data", - "datetime", - "declare", - "decoding", - "default", - "defer", - "dir", - "direction", - "dirname", - "disabled", - "disablepictureinpicture", - "disableremoteplayback", - "disallowdocumentaccess", - "download", - "draggable", - "elementtiming", - "enctype", - "end", - "enterkeyhint", - "event", - "exportparts", - "face", - "for", - "form", - "formaction", - "formenctype", - "formmethod", - "formnovalidate", - "formtarget", - "frame", - "frameborder", - "headers", - "height", - "hidden", - "high", - "href", - "hreflang", - "hreftranslate", - "hspace", - "http-equiv", - "id", - "imagesizes", - "imagesrcset", - "importance", - "impressiondata", - "impressionexpiry", - "incremental", - "inert", - "inputmode", - "integrity", - "invisible", - "is", - "ismap", - "keytype", - "kind", - "label", - "lang", - "language", - "latencyhint", - "leftmargin", - "link", - "list", - "loading", - "longdesc", - "loop", - "low", - "lowsrc", - "manifest", - "marginheight", - "marginwidth", - "max", - "maxlength", - "mayscript", - "media", - "method", - "min", - "minlength", - "multiple", - "muted", - "name", - "nohref", - "nomodule", - "nonce", - "noresize", - "noshade", - "novalidate", - "nowrap", - "object", - "open", - "optimum", - "part", - "pattern", - "ping", - "placeholder", - "playsinline", - "policy", - "poster", - "preload", - "pseudo", - "readonly", - "referrerpolicy", - "rel", - "reportingorigin", - "required", - "resources", - "rev", - "reversed", - "role", - "rows", - "rowspan", - "rules", - "sandbox", - "scheme", - "scope", - "scopes", - "scrollamount", - "scrolldelay", - "scrolling", - "select", - "selected", - "shadowroot", - "shadowrootdelegatesfocus", - "shape", - "size", - "sizes", - "slot", - "span", - "spellcheck", - "src", - "srcdoc", - "srclang", - "srcset", - "standby", - "start", - "step", - "style", - "summary", - "tabindex", - "target", - "text", - "title", - "topmargin", - "translate", - "truespeed", - "trusttoken", - "type", - "usemap", - "valign", - "value", - "valuetype", - "version", - "virtualkeyboardpolicy", - "vlink", - "vspace", - "webkitdirectory", - "width", - "wrap" -] diff --git a/resources/baseline-element-allow-list.json b/resources/baseline-element-allow-list.json deleted file mode 100644 index cf470cd..0000000 --- a/resources/baseline-element-allow-list.json +++ /dev/null @@ -1,130 +0,0 @@ -[ - "a", - "abbr", - "acronym", - "address", - "area", - "article", - "aside", - "audio", - "b", - "basefont", - "bdi", - "bdo", - "bgsound", - "big", - "blockquote", - "body", - "br", - "button", - "canvas", - "caption", - "center", - "cite", - "code", - "col", - "colgroup", - "command", - "data", - "datalist", - "dd", - "del", - "details", - "dfn", - "dialog", - "dir", - "div", - "dl", - "dt", - "em", - "fieldset", - "figcaption", - "figure", - "font", - "footer", - "form", - "h1", - "h2", - "h3", - "h4", - "h5", - "h6", - "head", - "header", - "hgroup", - "hr", - "html", - "i", - "image", - "img", - "input", - "ins", - "kbd", - "keygen", - "label", - "layer", - "legend", - "li", - "link", - "listing", - "main", - "map", - "mark", - "marquee", - "menu", - "meta", - "meter", - "nav", - "nobr", - "ol", - "optgroup", - "option", - "output", - "p", - "picture", - "plaintext", - "popup", - "portal", - "pre", - "progress", - "q", - "rb", - "rp", - "rt", - "rtc", - "ruby", - "s", - "samp", - "section", - "select", - "selectmenu", - "slot", - "small", - "source", - "span", - "strike", - "strong", - "style", - "sub", - "summary", - "sup", - "table", - "tbody", - "td", - "template", - "textarea", - "tfoot", - "th", - "thead", - "time", - "title", - "tr", - "track", - "tt", - "u", - "ul", - "var", - "video", - "wbr", - "xmp" -] diff --git a/resources/default-configuration.json b/resources/default-configuration.json deleted file mode 100644 index f6613ae..0000000 --- a/resources/default-configuration.json +++ /dev/null @@ -1,755 +0,0 @@ -{ - "allowCustomElements": false, - "allowUnknownMarkup": false, - "allowElements": [ - "a", - "abbr", - "acronym", - "address", - "area", - "article", - "aside", - "audio", - "b", - "bdi", - "bdo", - "bgsound", - "big", - "blockquote", - "body", - "br", - "button", - "canvas", - "caption", - "center", - "cite", - "code", - "col", - "colgroup", - "datalist", - "dd", - "del", - "details", - "dfn", - "dialog", - "dir", - "div", - "dl", - "dt", - "em", - "fieldset", - "figcaption", - "figure", - "font", - "footer", - "form", - "h1", - "h2", - "h3", - "h4", - "h5", - "h6", - "head", - "header", - "hgroup", - "hr", - "html", - "i", - "img", - "input", - "ins", - "kbd", - "keygen", - "label", - "layer", - "legend", - "li", - "link", - "listing", - "main", - "map", - "mark", - "marquee", - "menu", - "meta", - "meter", - "nav", - "nobr", - "ol", - "optgroup", - "option", - "output", - "p", - "picture", - "popup", - "pre", - "progress", - "q", - "rb", - "rp", - "rt", - "rtc", - "ruby", - "s", - "samp", - "section", - "select", - "selectmenu", - "small", - "source", - "span", - "strike", - "strong", - "style", - "sub", - "summary", - "sup", - "table", - "tbody", - "td", - "tfoot", - "th", - "thead", - "time", - "tr", - "track", - "tt", - "u", - "ul", - "var", - "video", - "wbr" - ], - "allowAttributes": { - "abbr": [ - "*" - ], - "accept": [ - "*" - ], - "accept-charset": [ - "*" - ], - "accesskey": [ - "*" - ], - "action": [ - "*" - ], - "align": [ - "*" - ], - "alink": [ - "*" - ], - "allow": [ - "*" - ], - "allowfullscreen": [ - "*" - ], - "alt": [ - "*" - ], - "anchor": [ - "*" - ], - "archive": [ - "*" - ], - "as": [ - "*" - ], - "async": [ - "*" - ], - "autocapitalize": [ - "*" - ], - "autocomplete": [ - "*" - ], - "autocorrect": [ - "*" - ], - "autofocus": [ - "*" - ], - "autopictureinpicture": [ - "*" - ], - "autoplay": [ - "*" - ], - "axis": [ - "*" - ], - "background": [ - "*" - ], - "behavior": [ - "*" - ], - "bgcolor": [ - "*" - ], - "border": [ - "*" - ], - "bordercolor": [ - "*" - ], - "capture": [ - "*" - ], - "cellpadding": [ - "*" - ], - "cellspacing": [ - "*" - ], - "challenge": [ - "*" - ], - "char": [ - "*" - ], - "charoff": [ - "*" - ], - "charset": [ - "*" - ], - "checked": [ - "*" - ], - "cite": [ - "*" - ], - "class": [ - "*" - ], - "classid": [ - "*" - ], - "clear": [ - "*" - ], - "code": [ - "*" - ], - "codebase": [ - "*" - ], - "codetype": [ - "*" - ], - "color": [ - "*" - ], - "cols": [ - "*" - ], - "colspan": [ - "*" - ], - "compact": [ - "*" - ], - "content": [ - "*" - ], - "contenteditable": [ - "*" - ], - "controls": [ - "*" - ], - "controlslist": [ - "*" - ], - "conversiondestination": [ - "*" - ], - "coords": [ - "*" - ], - "crossorigin": [ - "*" - ], - "csp": [ - "*" - ], - "data": [ - "*" - ], - "datetime": [ - "*" - ], - "declare": [ - "*" - ], - "decoding": [ - "*" - ], - "default": [ - "*" - ], - "defer": [ - "*" - ], - "dir": [ - "*" - ], - "direction": [ - "*" - ], - "dirname": [ - "*" - ], - "disabled": [ - "*" - ], - "disablepictureinpicture": [ - "*" - ], - "disableremoteplayback": [ - "*" - ], - "disallowdocumentaccess": [ - "*" - ], - "download": [ - "*" - ], - "draggable": [ - "*" - ], - "elementtiming": [ - "*" - ], - "enctype": [ - "*" - ], - "end": [ - "*" - ], - "enterkeyhint": [ - "*" - ], - "event": [ - "*" - ], - "exportparts": [ - "*" - ], - "face": [ - "*" - ], - "for": [ - "*" - ], - "form": [ - "*" - ], - "formaction": [ - "*" - ], - "formenctype": [ - "*" - ], - "formmethod": [ - "*" - ], - "formnovalidate": [ - "*" - ], - "formtarget": [ - "*" - ], - "frame": [ - "*" - ], - "frameborder": [ - "*" - ], - "headers": [ - "*" - ], - "height": [ - "*" - ], - "hidden": [ - "*" - ], - "high": [ - "*" - ], - "href": [ - "*" - ], - "hreflang": [ - "*" - ], - "hreftranslate": [ - "*" - ], - "hspace": [ - "*" - ], - "http-equiv": [ - "*" - ], - "id": [ - "*" - ], - "imagesizes": [ - "*" - ], - "imagesrcset": [ - "*" - ], - "importance": [ - "*" - ], - "impressiondata": [ - "*" - ], - "impressionexpiry": [ - "*" - ], - "incremental": [ - "*" - ], - "inert": [ - "*" - ], - "inputmode": [ - "*" - ], - "integrity": [ - "*" - ], - "invisible": [ - "*" - ], - "is": [ - "*" - ], - "ismap": [ - "*" - ], - "keytype": [ - "*" - ], - "kind": [ - "*" - ], - "label": [ - "*" - ], - "lang": [ - "*" - ], - "language": [ - "*" - ], - "latencyhint": [ - "*" - ], - "leftmargin": [ - "*" - ], - "link": [ - "*" - ], - "list": [ - "*" - ], - "loading": [ - "*" - ], - "longdesc": [ - "*" - ], - "loop": [ - "*" - ], - "low": [ - "*" - ], - "lowsrc": [ - "*" - ], - "manifest": [ - "*" - ], - "marginheight": [ - "*" - ], - "marginwidth": [ - "*" - ], - "max": [ - "*" - ], - "maxlength": [ - "*" - ], - "mayscript": [ - "*" - ], - "media": [ - "*" - ], - "method": [ - "*" - ], - "min": [ - "*" - ], - "minlength": [ - "*" - ], - "multiple": [ - "*" - ], - "muted": [ - "*" - ], - "name": [ - "*" - ], - "nohref": [ - "*" - ], - "nomodule": [ - "*" - ], - "nonce": [ - "*" - ], - "noresize": [ - "*" - ], - "noshade": [ - "*" - ], - "novalidate": [ - "*" - ], - "nowrap": [ - "*" - ], - "object": [ - "*" - ], - "open": [ - "*" - ], - "optimum": [ - "*" - ], - "part": [ - "*" - ], - "pattern": [ - "*" - ], - "ping": [ - "*" - ], - "placeholder": [ - "*" - ], - "playsinline": [ - "*" - ], - "policy": [ - "*" - ], - "poster": [ - "*" - ], - "preload": [ - "*" - ], - "pseudo": [ - "*" - ], - "readonly": [ - "*" - ], - "referrerpolicy": [ - "*" - ], - "rel": [ - "*" - ], - "reportingorigin": [ - "*" - ], - "required": [ - "*" - ], - "resources": [ - "*" - ], - "rev": [ - "*" - ], - "reversed": [ - "*" - ], - "role": [ - "*" - ], - "rows": [ - "*" - ], - "rowspan": [ - "*" - ], - "rules": [ - "*" - ], - "sandbox": [ - "*" - ], - "scheme": [ - "*" - ], - "scope": [ - "*" - ], - "scopes": [ - "*" - ], - "scrollamount": [ - "*" - ], - "scrolldelay": [ - "*" - ], - "scrolling": [ - "*" - ], - "select": [ - "*" - ], - "selected": [ - "*" - ], - "shadowroot": [ - "*" - ], - "shadowrootdelegatesfocus": [ - "*" - ], - "shape": [ - "*" - ], - "size": [ - "*" - ], - "sizes": [ - "*" - ], - "slot": [ - "*" - ], - "span": [ - "*" - ], - "spellcheck": [ - "*" - ], - "src": [ - "*" - ], - "srcdoc": [ - "*" - ], - "srclang": [ - "*" - ], - "srcset": [ - "*" - ], - "standby": [ - "*" - ], - "start": [ - "*" - ], - "step": [ - "*" - ], - "style": [ - "*" - ], - "summary": [ - "*" - ], - "tabindex": [ - "*" - ], - "target": [ - "*" - ], - "text": [ - "*" - ], - "title": [ - "*" - ], - "topmargin": [ - "*" - ], - "translate": [ - "*" - ], - "truespeed": [ - "*" - ], - "trusttoken": [ - "*" - ], - "type": [ - "*" - ], - "usemap": [ - "*" - ], - "valign": [ - "*" - ], - "value": [ - "*" - ], - "valuetype": [ - "*" - ], - "version": [ - "*" - ], - "virtualkeyboardpolicy": [ - "*" - ], - "vlink": [ - "*" - ], - "vspace": [ - "*" - ], - "webkitdirectory": [ - "*" - ], - "width": [ - "*" - ], - "wrap": [ - "*" - ] - } -} From 48aebd193f6bb3aab3616a3dba361ec38d210cc4 Mon Sep 17 00:00:00 2001 From: Daniel Vogelheim Date: Wed, 18 Dec 2024 18:56:15 +0100 Subject: [PATCH 06/10] Try empty -json file to fix preview. --- builtins/safe-default-configuration.json | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 builtins/safe-default-configuration.json diff --git a/builtins/safe-default-configuration.json b/builtins/safe-default-configuration.json new file mode 100644 index 0000000..e69de29 From 2ea2510c8e44208ecbb5db4d6db0692bf08b9edc Mon Sep 17 00:00:00 2001 From: Daniel Vogelheim Date: Wed, 8 Jan 2025 16:15:32 +0100 Subject: [PATCH 07/10] Review feedback: Reference event content handlers; add remove elements --- .github/workflows/pr-push.yml | 2 + .gitignore | 1 + builtins/event-handler-content-attributes.txt | 89 ++++++++++ ...e-baseline-configuration-materialized.json | 0 builtins/safe-baseline-configuration.json | 156 +++--------------- builtins/safe-baseline-configuration.py | 39 +++++ index.bs | 24 ++- 7 files changed, 174 insertions(+), 137 deletions(-) create mode 100644 builtins/event-handler-content-attributes.txt create mode 100644 builtins/safe-baseline-configuration-materialized.json create mode 100644 builtins/safe-baseline-configuration.py diff --git a/.github/workflows/pr-push.yml b/.github/workflows/pr-push.yml index 17d81ec..62a3028 100644 --- a/.github/workflows/pr-push.yml +++ b/.github/workflows/pr-push.yml @@ -14,6 +14,8 @@ jobs: python-version: '3.10' - name: Generate safe-default-configuration.json run: python builtins/safe-default-configuration.py --input builtins/safe-default-configuration.txt --out builtins/safe-default-configuration.json + - name: Generate safe-baseline-configuration-materialized.json + run: python builtins/safe-baseline-configuration.py --input builtins/safe-baseline-configuration.txt --event-hanlders builtins/event-handler-content-attributes.txt --out builtins/safe-baseline-configuration-materialized.json - uses: w3c/spec-prod@v2 with: GH_PAGES_BRANCH: gh-pages diff --git a/.gitignore b/.gitignore index 6447cea..c46a6e3 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /out /*.ninja* /builtins/safe-default-configuration.json +/builtins/safe-baseline-configuration-materialized.json diff --git a/builtins/event-handler-content-attributes.txt b/builtins/event-handler-content-attributes.txt new file mode 100644 index 0000000..af71ef7 --- /dev/null +++ b/builtins/event-handler-content-attributes.txt @@ -0,0 +1,89 @@ +// https://html.spec.whatwg.org/#ix-event-handlers +onafterprint +onauxclick +onbeforeinput +onbeforematch +onbeforeprint +onbeforeunload +onbeforetoggle +onblur +oncancel +oncanplay +oncanplaythrough +onchange +onclick +onclose +oncontextlost +oncontextmenu +oncontextrestored +oncopy +oncuechange +oncut +ondblclick +ondrag +ondragend +ondragenter +ondragleave +ondragover +ondragstart +ondrop +ondurationchange +onemptied +onended +onerror +onfocus +onformdata +onhashchange +oninput +oninvalid +onkeydown +onkeypress +onkeyup +onlanguagechange +onload +onloadeddata +onloadedmetadata +onloadstart +onmessage +onmessageerror +onmousedown +onmouseenter +onmouseleave +onmousemove +onmouseout +onmouseover +onmouseup +onoffline +ononline +onpagehide +onpagereveal +onpageshow +onpageswap +onpaste +onpause +onplay +onplaying +onpopstate +onprogress +onratechange +onreset +onresize +onrejectionhandled +onscroll +onscrollend +onsecuritypolicyviolation +onseeked +onseeking +onselect +onslotchange +onstalled +onstorage +onsubmit +onsuspend +ontimeupdate +ontoggle +onunhandledrejection +onunload +onvolumechange +onwaiting +onwheel diff --git a/builtins/safe-baseline-configuration-materialized.json b/builtins/safe-baseline-configuration-materialized.json new file mode 100644 index 0000000..e69de29 diff --git a/builtins/safe-baseline-configuration.json b/builtins/safe-baseline-configuration.json index 410035f..2f6c8c1 100644 --- a/builtins/safe-baseline-configuration.json +++ b/builtins/safe-baseline-configuration.json @@ -4,144 +4,30 @@ "namespace": "http://www.w3.org/1999/xhtml", "name": "script" }, + { + "namespace": "http://www.w3.org/1999/xhtml", + "name": "frame" + }, + { + "namespace": "http://www.w3.org/1999/xhtml", + "name": "iframe" + }, + { + "namespace": "http://www.w3.org/1999/xhtml", + "name": "object" + }, + { + "namespace": "http://www.w3.org/1999/xhtml", + "name": "embed" + }, { "namespace": "http://www.w3.org/2000/svg", "name": "script" + }, + { + "namespace": "http://www.w3.org/2000/svg", + "name": "use" } ], - "removeAttributes": [ - "onabort", - "onactivate", - "onafterprint", - "onanimationend", - "onanimationiteration", - "onanimationstart", - "onauxclick", - "onbeforecopy", - "onbeforecut", - "onbeforeinput", - "onbeforepaste", - "onbeforeprint", - "onbeforetoggle", - "onbeforeunload", - "onbegin", - "onblur", - "oncancel", - "oncanplay", - "oncanplaythrough", - "onchange", - "onclick", - "onclose", - "oncontentvisibilityautostatechange", - "oncontextlost", - "oncontextmenu", - "oncontextrestored", - "oncopy", - "oncuechange", - "oncut", - "ondblclick", - "ondismiss", - "ondrag", - "ondragend", - "ondragenter", - "ondragleave", - "ondragover", - "ondragstart", - "ondrop", - "ondurationchange", - "onemptied", - "onend", - "onended", - "onerror", - "onfocus", - "onfocusin", - "onfocusout", - "onformdata", - "ongotpointercapture", - "onhashchange", - "oninput", - "oninvalid", - "onkeydown", - "onkeypress", - "onkeyup", - "onlanguagechange", - "onload", - "onloadeddata", - "onloadedmetadata", - "onloadstart", - "onlostpointercapture", - "onmessage", - "onmessageerror", - "onmousedown", - "onmouseenter", - "onmouseleave", - "onmousemove", - "onmouseout", - "onmouseover", - "onmouseup", - "onmousewheel", - "onmove", - "onoffline", - "ononline", - "onorientationchange", - "onoverscroll", - "onpagehide", - "onpageshow", - "onpaste", - "onpause", - "onplay", - "onplaying", - "onpointercancel", - "onpointerdown", - "onpointerenter", - "onpointerleave", - "onpointermove", - "onpointerout", - "onpointerover", - "onpointerrawupdate", - "onpointerup", - "onpopstate", - "onprogress", - "onratechange", - "onrepeat", - "onreset", - "onresize", - "onresolve", - "onscroll", - "onscrollend", - "onscrollsnapchange", - "onscrollsnapchanging", - "onsearch", - "onsecuritypolicyviolation", - "onseeked", - "onseeking", - "onselect", - "onselectionchange", - "onselectstart", - "onshow", - "onslotchange", - "onstalled", - "onstorage", - "onsubmit", - "onsuspend", - "ontimeupdate", - "ontimezonechange", - "ontoggle", - "ontouchcancel", - "ontouchend", - "ontouchmove", - "ontouchstart", - "ontransitionend", - "onunload", - "onvalidationstatuschange", - "onvolumechange", - "onwaiting", - "onwebkitanimationend", - "onwebkitanimationiteration", - "onwebkitanimationstart", - "onwebkitfullscreenchange", - "onwebkitfullscreenerror", - "onwebkittransitionend", - "onwheel" - ] + "removeAttributes": [] } diff --git a/builtins/safe-baseline-configuration.py b/builtins/safe-baseline-configuration.py new file mode 100644 index 0000000..452ecc4 --- /dev/null +++ b/builtins/safe-baseline-configuration.py @@ -0,0 +1,39 @@ +# Sanitizer API - Build configuration dictionary from text file. + +import json +import argparse +import sys + +def main(): + parser = argparse.ArgumentParser() + parser.add_argument("--input", type=argparse.FileType('r'), required=True) + parser.add_argument("--event-handlers", type=argparse.FileType('r'), + required=True) + parser.add_argument("--out", type=argparse.FileType('w'), required=True) + args = parser.parse_args() + + try: + config = json.load(args.input) + except BaseException as err: + parser.error("Cannot read from --input file.") + + try: + events = args.event_handlers.read() + except BaseException as err: + parser.error("Cannot read from --event-handlers file.") + + for event in events.split("\n"): + if not event: + continue + if event.startswith("//"): + continue + config["removeAttributes"].append(event) + + try: + json.dump(config, args.out, indent=2) + except BaseException as err: + parser.error("Cannot write to --out file.") + return 0 + +if __name__ == "__main__": + main() diff --git a/index.bs b/index.bs index 23c6ec1..7f7a5f0 100644 --- a/index.bs +++ b/index.bs @@ -22,6 +22,7 @@ Markup Shorthands: css off, markdown on spec:html; type:attribute; text: innerHTML spec:dom; type:method; text: createDocumentFragment spec:html; type:dfn; text: template contents +spec:infra; type:dfn; text: user agent 
 text: window.toStaticHTML(); type: method; url: https://msdn.microsoft.com/en-us/library/cc848922(v=vs.85).aspx
@@ -576,6 +577,8 @@ To remove unsafe from a |configuration|, do thi
 1. [=list/For each=] |attribute| in
    [=built-in safe baseline configuration=][{{SanitizerConfig/removeAttributes}}]:
     1. Call [=Sanitizer/remove an attribute=] with |attribute| and |result|.
+1. [=list/For each=] |attribute| listed in [=event handler content attributes=]:
+    1. Call [=Sanitizer/remove an attribute=] with |attribute| and |result|.
 1. Return |result|.
@@ -709,7 +712,7 @@ regard to order: [=superset=] of |B| and |B| is a [=superset=] of |A|. -## Defaults ## {#sanitization-defaults} +## Builtins ## {#sanitization-defaults} There are three builtins: @@ -725,13 +728,30 @@ highlight: json The built-in safe baseline configuration is meant to block only -script-content, and nothing else. It is as follows: +script-content. It is as follows: 
 path: builtins/safe-baseline-configuration.json
 highlight: json
+
+ +Note: The [=remove unsafe=] algorithm specifies +to additionally remove any [=event handler content attributes=], as defined +in [[HTML]]. +If a [=user agent=] defines extensions to the [[HTML]] spec with additional +[=event handler content attributes=], it is its responsibility to decide how +to handle them. Using the current [=event handler content attributes=] list, +the safe baseline configuration looks effectively like so: + +
+path: builtins/safe-baseline-configuration-materialized.json
+highlight: json
+
+ +
+
The built-in navigating URL attributes list, for which "`javascript:`" navigations are "unsafe", are as follows: From d84fe5f1360b769a3ef5264692cd7b4afea2cc46 Mon Sep 17 00:00:00 2001 From: Daniel Vogelheim Date: Wed, 8 Jan 2025 16:18:54 +0100 Subject: [PATCH 08/10] Fix pr-push-yml --- .github/workflows/pr-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-push.yml b/.github/workflows/pr-push.yml index 62a3028..8876c08 100644 --- a/.github/workflows/pr-push.yml +++ b/.github/workflows/pr-push.yml @@ -15,7 +15,7 @@ jobs: - name: Generate safe-default-configuration.json run: python builtins/safe-default-configuration.py --input builtins/safe-default-configuration.txt --out builtins/safe-default-configuration.json - name: Generate safe-baseline-configuration-materialized.json - run: python builtins/safe-baseline-configuration.py --input builtins/safe-baseline-configuration.txt --event-hanlders builtins/event-handler-content-attributes.txt --out builtins/safe-baseline-configuration-materialized.json + run: python builtins/safe-baseline-configuration.py --input builtins/safe-baseline-configuration.json --event-hanlders builtins/event-handler-content-attributes.txt --out builtins/safe-baseline-configuration-materialized.json - uses: w3c/spec-prod@v2 with: GH_PAGES_BRANCH: gh-pages From 74bfa58c2be97181185a5d16ce2f7f29485c2bed Mon Sep 17 00:00:00 2001 From: Daniel Vogelheim Date: Wed, 8 Jan 2025 16:21:52 +0100 Subject: [PATCH 09/10] Fix pr-push-yml even harder. --- .github/workflows/pr-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-push.yml b/.github/workflows/pr-push.yml index 8876c08..8aa097d 100644 --- a/.github/workflows/pr-push.yml +++ b/.github/workflows/pr-push.yml @@ -15,7 +15,7 @@ jobs: - name: Generate safe-default-configuration.json run: python builtins/safe-default-configuration.py --input builtins/safe-default-configuration.txt --out builtins/safe-default-configuration.json - name: Generate safe-baseline-configuration-materialized.json - run: python builtins/safe-baseline-configuration.py --input builtins/safe-baseline-configuration.json --event-hanlders builtins/event-handler-content-attributes.txt --out builtins/safe-baseline-configuration-materialized.json + run: python builtins/safe-baseline-configuration.py --input builtins/safe-baseline-configuration.json --event-handlers builtins/event-handler-content-attributes.txt --out builtins/safe-baseline-configuration-materialized.json - uses: w3c/spec-prod@v2 with: GH_PAGES_BRANCH: gh-pages From 4f94295d742e22c740691f2ce9700891d1f6ab25 Mon Sep 17 00:00:00 2001 From: Daniel Vogelheim Date: Mon, 13 Jan 2025 17:09:59 +0100 Subject: [PATCH 10/10] Turn note into warning/advisement. --- index.bs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 7f7a5f0..ca31e34 100644 --- a/index.bs +++ b/index.bs @@ -735,9 +735,10 @@ path: builtins/safe-baseline-configuration.json highlight: json -
+
+ -Note: The [=remove unsafe=] algorithm specifies +Warning: The [=remove unsafe=] algorithm specifies to additionally remove any [=event handler content attributes=], as defined in [[HTML]]. If a [=user agent=] defines extensions to the [[HTML]] spec with additional