-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider allowing class on code tag in basic_html #9
Comments
Agree. 👍 My first gut reaction would be to implement a Markdown sanitizer rather than changing the BasicHTML sanitizer's behaviour. WDYT? |
Oh, a special markdown sanitizer sounds like a great idea! |
@michalmuskala Sorry for not responding here. In my defense, there was this "ElixirConf" going on that occupied my mind 😁 I created a possible iteration of this here. One thing I noticed: Should we allow @ericmj We talked about this briefly in Florida. Any input from you is highly appreciated! 👍 |
Only allowing target="_blank" makes sense. |
If allowing target="_blank" you should also allow rel="noopener" and/or rel="noreferrer" to prevent information leakage and window.opener freakery... |
@aphillipo That's a valid point! |
I just released This was tested on elixirstatus.com for the last two weeks by depending on |
Scrubbing with basic_html works great as a sanitisation pass after converting markdown. There's one issue.
Markdown parsers, that allow for github flavoured markdown, will add class to the
code
tag with the language name. Currently that class is removed (as are all class attributes). I understand the intent of removing all attributes, but it makes the scrubber unwieldy for working with markdown and requires implementing custom module.The text was updated successfully, but these errors were encountered: