-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The sanitization method changes the tag structure if there is a <table>
tag inside an <a>
tag.
#155
Comments
Hi, thanks for asking this question. As you diagnosed, you're seeing the behavior of the HTML4 parser used by Nokogiri (libxml2). Nokogiri::HTML4::DocumentFragment.parse('<a href="https://example.com"><table>test</table></a>').to_html
# => "<a href=\"https://example.com\"></a><table>test</table>"
Nokogiri::HTML5::DocumentFragment.parse('<a href="https://example.com"><table>test</table></a>').to_html
# => "<a href=\"https://example.com\">test<table></table></a>" Nokogiri just wraps the parser, and so there's nothing we can easily do to change this behavior. Upgrading the full stack of rails-html-sanitizer, Loofah, and Nokogiri to support HTML5 has been a long road. Loofah was just this week released with HTML5 support, and now I'm working on updating I just closed (this morning) the previous PR #133 which was an exploration of behavioral differences, because I'm very close to shipping a new PR with the necessary API and code changes. Hang tight! |
See #158 for the latest on HTML5 support. On that branch: Rails::Html::SafeListSanitizer.new.sanitize('<a href="https://example.com"><table>test</table></a>', tags: %w(a tab
le), attributes: %w(href))
# => "<a href=\"https://example.com\"></a><table>test</table>"
Rails::HTML5::SafeListSanitizer.new.sanitize('<a href="https://example.com"><table>test</table></a>', tags: %w(a ta
ble), attributes: %w(href))
# => "<a href=\"https://example.com\">test<table></table></a>" |
Thank you for your comment. |
Description
In the sanitize method, if there is
<table>
tag inside<a>
tag, the result will be different than expected.Steps to Reproduce
No problem case
Problem case
I would expect
<a href=\"https://example.com\"><table>test</table></a>
response.But it may be a problem with the behavior of libxml2 (Nokogiri's HTML4 parser)....
🙅
👌
The text was updated successfully, but these errors were encountered: