Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

More docs on sanitization.

  • Loading branch information...
commit 188c90ba8d0b2d6e67a400899ba6cf76b7a270c6 1 parent 7e94a80
@mojombo mojombo authored
Showing with 35 additions and 1 deletion.
  1. +3 −1 README.md
  2. +32 −0 docs/sanitization.md
View
4 README.md
@@ -100,7 +100,9 @@ have a footer file of their own.
## HTML SANITIZATION
For security and compatibility reasons Gollum wikis may not contain custom CSS
-or JavaScript. These tags will be stripped from the converted HTML.
+or JavaScript. These tags will be stripped from the converted HTML. See
+`docs/sanitization.md` for more details on what tags and attributes are
+allowed.
## BRACKET TAGS
View
32 docs/sanitization.md
@@ -0,0 +1,32 @@
+Sanitization Rules
+==================
+
+Gollum uses the [Sanitize](http://wonko.com/post/sanitize) gem for HTML
+sanitization.
+
+See `lib/gollum.rb` for actual settings.
+
+## ALLOWED TAGS
+
+a, abbr, acronym, address, area, b, big, blockquote, br, button, caption,
+center, cite, code, col, colgroup, dd, del, dfn, dir, div, dl, dt, em,
+fieldset, font, form, h1, h2, h3, h4, h5, h6, hr, i, img, input, ins, kbd,
+label, legend, li, map, menu, ol, optgroup, option, p, pre, q, s, samp,
+select, small, span, strike, strong, sub, sup, table, tbody, td, textarea,
+tfoot, th, thead, tr, tt, u, ul, var
+
+## ALLOWED ATTRIBUTES
+
+abbr, accept, accept-charset, accesskey, action, align, alt, axis, border,
+cellpadding, cellspacing, char, charoff, charset, checked, cite, class, clear,
+cols, colspan, color, compact, coords, datetime, dir, disabled, enctype, for,
+frame, headers, height, href, hreflang, hspace, id, ismap, label, lang,
+longdesc, maxlength, media, method, multiple, name, nohref, noshade, nowrap,
+prompt, readonly, rel, rev, rows, rowspan, rules, scope, selected, shape,
+size, span, src, start, summary, tabindex, target, title, type, usemap,
+valign, value, vspace, width
+
+## ALLOWED PROTOCOLS
+
+a href: http, https, mailto
+img src: http, https
Please sign in to comment.
Something went wrong with that request. Please try again.