-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Newlines in styles result in invalid html #237
Comments
Hi! I'm not the maintainer, but I'm another user of @rgrove's tools Sanitize and Crass and wanted to ask a couple of clarifying questions ...
|
BootstrapEmail raised a 500 error with this code. Now, it could be that this issue technically lies with them. When I ran the code through the W3c CSS validator
Maybe I misunderstand the purpose of sanitize, I've always thought it was to ensure both valid and safe data, which is why the following example returns valid html. Or do you mean that it shouldn't and there should be a linter needed as well? Sanitize.fragment("<div>text", Sanitize::Config::RELAXED)
=> "<div>text</div>" |
Hi @allard! As @flavorjones mentioned, newlines are valid in HTML
It sounds like BootstrapEmail may not handle this case correctly, but it's great that you were able to work around that problem by creating a custom transformer (that's exactly what transformers are for!).
Sanitize isn't a validator or linter and can't guarantee valid output. But you're correct that Sanitize does aim to guarantee safe output according to the config that's used. The HTML parsing standard specifies certain rules for parsing HTML that can result in invalid HTML being "fixed" by the parser, and when that parsed HTML is then serialized and returned by Sanitize, this can give the impression that Sanitize is acting as a validator. But Sanitize itself doesn't perform any validation, and the only changes it makes to HTML or CSS are changes that are intended to make it safe. |
I recently had an issue where user input html had a newline in an inline style. This passed through sanitize with the newline still there and later resulted in invalid parsing through BootstrapEmail. I've solved it with a transformer but feel that this should probably be included in the standard sanitzing.
Issue:
Fix:
The text was updated successfully, but these errors were encountered: