How do I only allow tagged html

[ViteOrder]

I'm sanitizing SEO tags, and want to only allow meta tags.

So I use these options

{
  allowedTags: ['meta'],
  allowedAttributes: {
    meta: ['*']
  },
}

This prevents all other tags from being used, but it doesnt prevent untagged text. So, if a user sent a string of text, it would be rendered on the page.

How do I fix this?

[BoDonkey]

I'm confused. Can you provide an example where you show user input, expected behavior, and actual behavior?

[boutell]

It sounds like you want to discard the text of tags that are not allowed, as opposed to just stripping the tags themselves. Normally in HTML sanitization it makes more sense to just strip the tags because this preserves as much user content as is allowed. Also, what should happen to an allowed tag inside a disallowed tag?

In principle an option to completely discard the content of a disallowed tag is possible, but we should think about whether it makes sense.

Perhaps what you really want is to be able to list specific tags that should be discarded along with their contents. While others would be tolerated, for instance if you don't want people using the <b> tag that usually doesn't mean you want the text inside to be deleted.

[boutell]

You might also look at the existing transform options.

[ViteOrder]

I'm confused. Can you provide an example where you show user input, expected behavior, and actual behavior?

A user sends this as their SEO tags

<title>My post</title>
<meta name="description" content="A post about a thing">

The title tag isnt allowed, so it gets sanitized to this

My post
<meta name="description" content="A post about a thing">

which gets rendered visually as text

Doing what @boutell was talking about would keep people from accidentally doing this, but wouldn't stop them from doing it on purpose

[boutell]

This is an edge case, in that I can think of few other situations that call for it, but it is certainly a valid HTML-related edge case; a pull request for an option to *completely* discard disallowed tags with all of their contents would be fine as long as it comes with unit tests.

…

On Fri, Feb 2, 2024 at 3:54 PM ViteOrder ***@***.***> wrote: I'm confused. Can you provide an example where you show user input, expected behavior, and actual behavior? A user sends this as their SEO tags <title>My post</title> <meta name="description" content="A post about a thing"> The title tag isnt allowed, so it gets sanitized to this My post <meta name="description" content="A post about a thing"> which gets rendered visually as text image.png (view on web) <https://github.com/apostrophecms/sanitize-html/assets/116770019/060c0b6c-5690-48b2-8792-17c14891702e> Doing what @boutell <https://github.com/boutell> was talking about would keep people from accidentally doing this, but wouldn't stop them from doing it on purpose — Reply to this email directly, view it on GitHub <#645 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAH27JHDILUCWAWAZZJGYTYRVG7RAVCNFSM6AAAAABCVZC3MCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRUGY4DGMBRG4> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his

[ViteOrder]

Found a solution that works for me. It's a bit silly but ¯\_(ツ)_/¯

body {
  font-size:0;
}
body > * {
  font-size:1rem;
}

[gkumar9891]

@ViteOrder you can use this to remove text for disallowed tags

{
   allowedTags: ['meta'],
   allowedAttributes: {
     meta: ['*']
   },
   disallowedTagsMode: 'completelyDiscard'
}