You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I wanted to check this before submitting a pull request: at the moment, if you use KEEP_CONTENT, the tag has to match a whitelist for its contents to be kept. This is not necessary for security, since the contents is still sanitised just like any other content in the page, and is annoying if you are sanitising random HTML from sources which may use arbitrary non-standard tags to wrap bits of content (resulting in chunks being stripped by the sanitiser).
I suggest changing the CONTENT_TAGS whitelist to a FORBID_CONTENTS blacklist; the blacklist is not needed for security, but we do want to remove the contents of script tags and perhaps a few others by default, since we know they are not designed to have user-visible content.
Anyone have a problem with this/see a security flaw I've missed? If not, I'll submit a pull request.
The text was updated successfully, but these errors were encountered:
I don't see a problem in terms of security. It might however break existing implementations so we need to document the change carefully with the next release.
I wanted to check this before submitting a pull request: at the moment, if you use
KEEP_CONTENT
, the tag has to match a whitelist for its contents to be kept. This is not necessary for security, since the contents is still sanitised just like any other content in the page, and is annoying if you are sanitising random HTML from sources which may use arbitrary non-standard tags to wrap bits of content (resulting in chunks being stripped by the sanitiser).I suggest changing the
CONTENT_TAGS
whitelist to aFORBID_CONTENTS
blacklist; the blacklist is not needed for security, but we do want to remove the contents of script tags and perhaps a few others by default, since we know they are not designed to have user-visible content.Anyone have a problem with this/see a security flaw I've missed? If not, I'll submit a pull request.
The text was updated successfully, but these errors were encountered: