Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

amp-script: Allow removal of attributes #23245

Merged
merged 3 commits into from Jul 18, 2019
Merged

amp-script: Allow removal of attributes #23245

merged 3 commits into from Jul 18, 2019

Conversation

dreamofabear
Copy link

@dreamofabear dreamofabear commented Jul 9, 2019
edited

Partial for #23156.

  • Allow removal of attributes early since DOMPurify.isValidAttribute expects non-null values.
  • Add warning for sanitized form elements without [sandbox=allow-forms].
  • Remove special-case for WHITELISTED_ATTRS in validateAttributeChange() since I didn't realize those are already covered by the DOMPurify config.

@dreamofabear
Copy link
Author

/to @jridgewell

@dreamofabear dreamofabear mentioned this pull request Jul 10, 2019
Closed
@dreamofabear
Copy link
Author

Friendly ping.

jridgewell
jridgewell approved these changes Jul 17, 2019
View reviewed changes
src/purifier.js Outdated
@@ -390,17 +390,22 @@ export function validateAttributeChange(purifier, node, attr, value) {
if (whitelist) {
const {attribute, values} = whitelist;
if (attribute === attr) {
if (value == null || !values.includes(value)) {
if (value === null || !values.includes(value)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we know the value can't be undefined?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, the TS interface uses string | null. Maybe it's better to be defensive than readable here though.

@dreamofabear dreamofabear merged commit 53730b2 into ampproject:master Jul 18, 2019
@dreamofabear dreamofabear deleted the script-allow-remove-attrs branch July 18, 2019 17:13
rindo pushed a commit to logly/amphtml that referenced this pull request Jul 24, 2019
amp-script: Allow removal of attributes (ampproject#23245)
a08cc27 
* Allow removal of attributes.

* Flipped a condition.

* == instead of ===.
@dreamofabear dreamofabear mentioned this pull request Aug 23, 2019
Closed
thekorn pushed a commit to edelight/amphtml that referenced this pull request Sep 11, 2019
amp-script: Allow removal of attributes (ampproject#23245)
31d8ac8 
* Allow removal of attributes.

* Flipped a condition.

* == instead of ===.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jridgewell jridgewell jridgewell approved these changes

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dreamofabear @jridgewell @googlebot