Comments (4)
buro9
commented on May 17, 2024
It would be plausible, and I can see that it would have a place.
On one hand... it's a whitelist, so this seems to be redundant.
On the other hand... this allows you to take rich policies and adapt them for you, and that's of value.
So long as the PR updated the ReadMe to communicate that the existence of Disallow* funcs are to support sharing of policies and that bluemonday remains a whitelist rather than a black list... then I would accept it.
from bluemonday.
joncalhoun
commented on May 17, 2024
On the other hand... this allows you to take rich policies and adapt them for you, and that's of value.
Yep, but I'm not 100% sure it is valuable enough to offset the cost of maintaining extra code. 😕
I won't be able to look into this for a few weeks but will update you then. If you want to close this in the meantime feel free to. I just wanted to get your opinion before digging further.
from bluemonday.
buro9
commented on May 17, 2024
I'm going to close this as a won't fix.
I'd happily take a PR for it, and that would only affect the policy.go and policy_test.go file as the construction of policy is separate to how the policy is applied... the policy object itself wouldn't have to change though for every Allow you'd need to add the corresponding Disallow.
from bluemonday.
joncalhoun
commented on May 17, 2024
SGTM. Sorry this has just sat here - i've been swamped lately and this is a very low priority for me.
from bluemonday.
Related Issues (20)
- AllowNoAttrs doesn't work with Matching HOT 2
- Can I use bluemonday to remove certain links? HOT 1
- Allow Formatted Email Addresses HOT 4
- How to get tel: links to not be removed? HOT 2
- Translates string characters to html code HOT 2
- How to disallow emoji? HOT 1
- Go ParseThru vulnerability HOT 2
- Test case not sanitising HOT 1
- Paragraph sanitization (e.g. img.alt) is too restrictive, disallows punctuation
- Sanitize only what is disallowed HOT 1
- Way to skip html escaping code blocks? HOT 1
- Can't allow `<picture>` and `<source>` HOT 1
- Add url prefix for tags such as `a`, `img` and `iframe` HOT 3
- Error when using & and amp in url
- Strip only single attribute HOT 3
- Trailing spaces in style attributes break sanitizing
- Is there a way to allow all URL schemes? HOT 3
- Sanitization removes spacing HOT 1
- How to retain URL? HOT 1
- Option to add spaces HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bluemonday.