-
|
Is there a way to blacklist some attributes (like I can see a whiteList with |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
I think it is the other way around: there are too many attributes out there that can embed JavaScript, etc. for a "forbidden list" to ever really be safe. Or it could be safe for a day and then a new attribute pops up in some browsers. Always use an allowed list. |
Beta Was this translation helpful? Give feedback.
-
|
Right, but my concern is not really about safety here : even thoughI am indeed using the lib mostly for safety, I also happen to want to prevent |
Beta Was this translation helpful? Give feedback.
-
|
I see your point. When combined with an allow list, a forbid list is useful.
That would make a good PR.
…On Wed, Dec 7, 2022 at 5:07 PM Matthieu Larcher ***@***.***> wrote:
Right, but my concern is not really about safety here : even thoughI am
indeed using the lib mostly for safety, I also happen to want to prevent
style attribute in the provided html.
Why wouldn't sanitize-html provide this kind of feature, considering it
already does most of the job ? I can't find any lib that would handle that
use case reliably, so I'd be very interested by a way to do so with
sanitiz-html, be it with a custom filter of sorts. Anything possible in
that area ?
—
Reply to this email directly, view it on GitHub
<#587 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAH27J7SKGZADIKZRRSBDTWMEDCZANCNFSM6AAAAAASWUROME>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
--
THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER
APOSTROPHECMS | apostrophecms.com | he/him/his
|
Beta Was this translation helpful? Give feedback.
I think it is the other way around: there are too many attributes out there that can embed JavaScript, etc. for a "forbidden list" to ever really be safe. Or it could be safe for a day and then a new attribute pops up in some browsers. Always use an allowed list.