-
-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow custom scrubbers to leverage the HTML5lib scrubbing already written #14
Comments
|
I'm trying to find a good way to add to the whitelist attributes right now and am coming up empty on a straightforward way to monkeypatch. I just want to add a single element, but it seems excessive hard given the way that whitelist.rb declares the constants and then digetsts them permanently via the method in whitelist.rb such that I can't even seem to monkeypatch it. |
I hear you! I'll be working on Loofah a bit over the next couple of weeks, and this will be one of the things I'll work on. |
fwiw, I did figure out how to monkeypatch it. Just add a new key/value to the HashedWhitelist. But of course it's always a tad nicer when one doesn't need to monkeypatch. |
Any thoughts or progress on this? I need to add and remove some whitelist attributes. |
Just release 1.0.0, this is probably my next priority. Any thoughts on what you think the API should look like to control whitelists? |
I have some almost complete work I've been doing on a whitelist for elements and attributes, just fyi (the usecase of valid with nested invalid with nested valid is broken still) https://github.com/bf4/Notes/blob/master/code/ruby/html_processing.rb when it's ready for a pull request, I'll do that. in the meantime, just an fyi |
It's worth noting that I've got a branch somewhere that I started, which implements a Rails-internals-compatible implementation of whitelists. This is so that, at some point, Loofah may be a pluggable sanitizer for any Rails app. I should probably finish that up. ;) |
I still need to write a pull request, but the WhitelistTagScrubber really does work https://github.com/bf4/Notes/blob/loofah-testing/code/ruby/html_processing.rb
|
Curious, anything new on this issue? What's the current way of handling custom scrubbers? They seems a bit laborious (relative to how Sanitize handles custom configs), the solutions here. |
👍 Completely agree with @abitdodgy Just take a look at how simple and straight forward this DSL is: https://github.com/rgrove/sanitize/blob/master/lib/sanitize/config/relaxed.rb Having a means of being able to process something like that and perhaps even having additional regex on attribute values such as background src image, etc would be a big win. I would just use Sanitize, but seeing as this is getting merged in Rails 4.2 thought it would be a useful addition. |
+1, would really like this feature. |
+1 too, 12 years later 🙁 |
@jemminger Please consider using https://github.com/rgrove/sanitize for a customizable sanitizer |
We found that using Rails' HTML sanitizer does more than we want the Richtext sanitization to do: It does not just remove nodes that are not in the safelist, it also escapes some markup (especially in links). This introduces a custom Loofah "scrubber" that only cares about the element safelist. The `sanitized_body` attribute is not for escaping at the view layer, where all these safety precautions are necessary, but just for making sure admin's don't use iframes when we don't want to. See the following related issues and commits: rails/rails-html-sanitizer@f3ba1a8 sparklemotion/nokogiri#3104 sparklemotion/nokogiri#969 (comment) flavorjones/loofah#14 (comment)
We found that using Rails' HTML sanitizer does more than we want the Richtext sanitization to do: It does not just remove nodes that are not in the safelist, it also escapes some markup (especially in links). This introduces a custom Loofah "scrubber" that only cares about the element safelist. The `sanitized_body` attribute is not for escaping at the view layer, where all these safety precautions are necessary, but just for making sure admin's don't use iframes when we don't want to. See the following related issues and commits: rails/rails-html-sanitizer@f3ba1a8 sparklemotion/nokogiri#3104 sparklemotion/nokogiri#969 (comment) flavorjones/loofah#14 (comment)
We found that using Rails' HTML sanitizer does more than we want the Richtext sanitization to do: It does not just remove nodes that are not in the safelist, it also escapes some markup (especially in links). This introduces a custom Loofah "scrubber" that only cares about the element safelist. The `sanitized_body` attribute is not for escaping at the view layer, where all these safety precautions are necessary, but just for making sure admin's don't use iframes when we don't want to. See the following related issues and commits: rails/rails-html-sanitizer@f3ba1a8 sparklemotion/nokogiri#3104 sparklemotion/nokogiri#969 (comment) flavorjones/loofah#14 (comment)
A couple of commonly requested features:
The text was updated successfully, but these errors were encountered: