Comments (7)
@wsrast It was mainly to avoid embedded URLs within the style
attribute, like background
URLs, from automatically requesting. I'd have to dig/research into it again to see whether it's still an issue.
Mainly stuff like this: https://stackoverflow.com/questions/4546591/xss-attacks-and-style-attributes
from interweave.
So <!-- /react-text -->
and other similar markup is something that React does, not Interweave. The class names however are something that Interweave does, but removing those may be tricky.
I think your best bet is to parse the HTML yourself after Interweave does, and sanitize anything you don't want.
from interweave.
Got it. I will handle that somehow. I have another issue I opened on Stackoverflow.
Colors are not showing up. background color or text color are getting lost. Does anyone know of a default filter that turns them off or anyway I can turn oncolored text
I have created a function that I can pass text into that I want to display as rich text. I read in the readMe that some tags will never be displayed."The following tags and their children will never be rendered, even when the whitelist is disabled.applet, canvas, embed, frame, frameset, iframe, object, script, style"Does this mean that it is impossible to display text color or back color with Interweave?
This also breaks underline because of not displaying styles.
<span style=\"text-decoration: underline;\">this </span>
Here is an example of what I am trying to do:
static createRichTextElement(text){ return( <Interweave disableFilters content={"<p><strong>bold</strong></p><p><em>italic</em></p><p><span style='color: rgb(215, 30, 15);'>red color</span></p><p></p>"}/> ); }
Any ideas?
from interweave.
Only a very small subset of attributes are supported: https://github.com/milesj/interweave/blob/master/packages/interweave/src/constants.js#L224 The style
tag is definitely not supported, and most likely will not be.
If you really need full control, you may just have to fork the project.
from interweave.
@milesj Is this blacklisting of the inline style attribute due to a specific security vulnerability? I've seen some vulnerabilities in older versions of IE alluded to, but nothing past IE8. Have any links to OWASP or another related site to explain the issue? We'd rather not open up a security vulnerability if we can help it, but our Kendo UI Editor control makes broad use of inline styles.
from interweave.
@milesj Thanks for that link. There's some good attack vectors there that we can look at while we evaluate a solution.
from interweave.
@milesj do you consider whitelisting the style attribute now ? Would love to be able to use it.
from interweave.
Related Issues (20)
- Is there any way to match html based on an elements class attribute? HOT 2
- Youtube embed video with the iframe is not loading the video on the browser. HOT 4
- Interweave: Missing emoji source data. HOT 19
- Transform Docs Update Suggestions
- Cannot resolve interweave HOT 1
- import error HOT 1
- Certain HTML attributes such as tabindex is not supported HOT 2
- Version 13.1.0 is missing from the CHANGELOG.md
- React JSX Support HOT 2
- SSR Hydration issue when email (text) is present in html content
- SSR Hydration issue when email (text) is present in html content
- Html content are wrapping with span element as parent element HOT 4
- ID attribute is not working HOT 7
- colons in hash part break links HOT 1
- why interweave transform attributes to lowercase? HOT 5
- Add Tailwind classes in my html content HOT 1
- React error when transforming HOT 2
- 'Interweave' cannot be used as a JSX component. HOT 1
- Broken emoji PNG-s in emoji-picker
- Performance significantly drops for nested HTML HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from interweave.