-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to escape non-whitelisted elements instead of stripping them #1
Comments
Turns out this is likely to be quite a bit more complicated to implement than I originally thought, unless we escape the tag and all of its contents, regardless of whether the contents include legal tags. This is going to take some more thought. |
+1 .. my example is simpler: clean("a < b") ==> "a < b" |
Added an :escape_only config setting. If set to true, Sanitize will escape non-whitelisted elements and their contents instead of removing them. Closed by 5bbd6d3 Not a perfect solution, but it's the best that can be done without adding unwarranted complexity. |
Looks like this feature was removed in 122c29f. How come? |
Basically for the reason described above. Escaping an element means you must also escape all its children, even if some of them would otherwise be whitelisted. In many cases, double-escaping can result as well. So far I haven't found a solution I'm happy with, and I'd rather have no feature than a buggy feature. |
Feature request from Ævar Arnfjörð Bjarmason:
We should implement a setting to make the stripping optional.
The text was updated successfully, but these errors were encountered: