Need to sanitize HTML #5
Comments
|
I would recommend dumping the whole lot into a srcdoc element of a full size iframe with the sandbox attribute applied. This will prevent script execution and maintain visual fidelity of messages. The downside is you loose support for browsers that don't support srcdoc & sandbox. |
|
I need to keep IE compatibility, so it looks like srcdoc is out. But sandbox is supported by IE 10, so we could potentially use an iframe. There's still the issue of resolving embedded MIME resources in HTML, so some sort of processing needs to be done eventually. |
|
Right now it's looking like bluemonday is the best option: https://github.com/microcosm-cc/bluemonday Unfortunately it doesn't allow any CSS with it's default policy; if you tune it to allow styles, they will not be stripped of XSS. |
|
Delaying sanitization until 1.3. 1.2.0 has enough new stuff in it, and nobody is asking for this. |
|
26c38b1 uses bluemonday and provides a basic tabbed UI |
Inbucket presently makes no effort to sanitize HTML message bodies before displaying them. Research needs to be done on best practices, if we go overboard stripping things out it will reduce the usefulness of Inbucket for developers.
The text was updated successfully, but these errors were encountered: