Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(parseStyleAttributes): add option to skip style parsing [fix 547] #596

Merged
merged 6 commits into from Jan 24, 2023
Merged

feat(parseStyleAttributes): add option to skip style parsing [fix 547] #596

merged 6 commits into from Jan 24, 2023

Conversation

bertyhell
Copy link
Contributor

@bertyhell bertyhell commented Dec 17, 2022
edited

This will fix #547

This PR introduces a new option:

options.parseStyleAttributes: boolean

By default set to true, to match the current behavior. But a user can set it to false, to skip parsing style tags.
This can avoid issues when the package is used in the browser.

  it('Should ignore styles when options.parseStyleAttributes is false', function() {
    assert.equal(
      sanitizeHtml('<span style=\'color: blue; text-align: justify\'></span>', {
        allowedTags: false,
        allowedAttributes: {
          span: [ 'style' ]
        },
        allowedStyles: {
          span: {
            color: [ /blue/ ],
            'text-align': [ /left/ ]
          }
        },
        parseStyleAttributes: false
      }), '<span style="color: blue; text-align: justify"></span>'
    );
  });

@bertyhell bertyhell changed the title feat(parseStyleAttributes): add option to skip style parsing feat(parseStyleAttributes): add option to skip style parsing [fix 547] Dec 17, 2022
@bertyhell bertyhell mentioned this pull request Dec 17, 2022
Closed
@boutell
Copy link
Member

boutell commented Dec 19, 2022

Thanks. Does allowedStyles still do anything when parseStyleAttributes is false? Is it misleading to suggest anything is done to sanitize styles in the presence of this setting?

@bertyhell
Copy link
Contributor Author

bertyhell commented Dec 19, 2022
edited

@boutell Good point, i added some extra text in the readme to make the user aware of this:

When you disable the parsing of the style attribute, the allowedStyles option is automatically ignored, and all styles will be allowed.

@boutell
Copy link
Member

boutell commented Dec 20, 2022
edited

Good stuff. I think we also should throw an error when allowedStyles is configured in the presence of this setting. Just to be safe.

@bertyhell
Copy link
Contributor Author

@boutell fixed, when they are used together you get this error:

throw new Error('allowedStyles option cannot be used together with parseStyleAttributes: false.');

boutell
boutell requested changes Dec 20, 2022
View reviewed changes
test/test.js Show resolved Hide resolved
@bertyhell
Copy link
Contributor Author

@boutell fixed

boutell
boutell requested changes Jan 3, 2023
View reviewed changes
Copy link
Member

@boutell boutell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. We're down to README tweaks now...

README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
@bertyhell
Copy link
Contributor Author

@boutell fixed

@boutell boutell merged commit 84f895f into apostrophecms:main Jan 24, 2023
@boutell
Copy link
Member

boutell commented Jan 24, 2023

Thanks!

@bilobom bilobom mentioned this pull request Jan 27, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@boutell boutell boutell approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

styles are always removed in browser
2 participants
@bertyhell @boutell