You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
How can I whitelist tag attributes in the xss validator? The docs say:
{ 'tagName': 'attr-1', 'attr-2' }
But this would be invalid TypeScript. I guess you meant to use an array?
{ 'tagName': ['attr-1', 'attr-2'] }
If yes then it doesnt work for me: whiteList: { a: ['href', 'target', 'rel'] }. I can whitelist tags like strong but I cant whitelist a tag with attributes. Maybe it is a bug also.
The text was updated successfully, but these errors were encountered:
Thanks for reporting this issue. The XSS validator uses the xss js package so it could be the upstream issue. As you suggest, I think there is also an issue in the documentation that dhoukd be fixed.
Can you reproduce? Maybe it is an upstream issue, it doesnt work like this: whiteList: { strong, a: ['href', 'target', 'rel'] } -> Usage of <strong> is ok, <a href="#">abc</a> not.
Maybe because the json arrives like this? <a href=\"#\">abc</a>
Also this xss validation things are very very hard to debug because there is no console log output why a request has been blocked.
Yes, I can reproduce and I think it is related with #206
When I passed this string with yours whitelist xss validation configuration I got:
{text: '<a href="'}
I think the issue is not related with whitelisting not working but rather with the fact that underlying package escapes the > character which results in an error for you.
Would you be interested in contributing to the project with a PoC of something that could fix this problem? :)
How can I whitelist tag attributes in the xss validator? The docs say:
But this would be invalid TypeScript. I guess you meant to use an array?
If yes then it doesnt work for me:
whiteList: { a: ['href', 'target', 'rel'] }
. I can whitelist tags likestrong
but I cant whitelist a tag with attributes. Maybe it is a bug also.The text was updated successfully, but these errors were encountered: