Giter Site home page Giter Site logo

Comments (6)

buro9 avatar buro9 commented on May 17, 2024 1

Merged, thanks for the great addition.

from bluemonday.

gerad avatar gerad commented on May 17, 2024

Nothing is ever as easy as it seems. There's no package manager in the project, I'll have to bring one in. Hopefully there are no objections to https://github.com/golang/dep

from bluemonday.

buro9 avatar buro9 commented on May 17, 2024

I'm going to put some thought into what the interface for a fully integrated CSS sanitizer might be.

This may take me a while as I'm flying around a bit right now, but should have a proposal within a couple of weeks.

It will likely follow the implementation style of the proposal PR you had, but allow for full configurability of a policy for CSS on a per entity/tag basis.

from bluemonday.

pauln avatar pauln commented on May 17, 2024

Have you made any progress on your proposal for CSS sanitising, @buro9? Even a basic level of CSS support (for style attributes, as per @gerad's proposal) would help tremendously.

from bluemonday.

StevenGutzwiller avatar StevenGutzwiller commented on May 17, 2024

@buro9 My team currently uses bluemonday for sanitizing inserted html styled with css, and we would like to make changes to fix this issue.

Currently I think it makes sense for the API to add something along the lines of the following:

AllowStyles(string[])-allows all listed style properties

Matching(regex) adds handler to style that checks if it matches regex

MatchingEnum(...string) adds handler to style that checks if it matches list of enums

MatchingHandler(function(string)bool) adds handler to style that takes in string representing the
property value and returns if it is valid

Globally() adds style policy to all elements

OnElements(...string) add style to specified elements

I was thinking each CSS3 property could have a default handler that prevents all/most values that can be overwritten with MatchingHandler().

This doesn't prevent security issues, but the user would have to specifically whitelist styles and override the default handler in order to cause issues.

How does this sound to you?

from bluemonday.

buro9 avatar buro9 commented on May 17, 2024

That sounds like a really good API for this. I'd approve and merge PRs that followed that API.

from bluemonday.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.