New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add whitelist HTML filtering (tags and attributes per tag) on paste in Bard #2185

Closed
sauerbraten opened this Issue Sep 28, 2018 · 1 comment

Comments

Projects
None yet
3 participants
@sauerbraten

sauerbraten commented Sep 28, 2018

Is your feature request related to a problem? Please describe.
We want to be able to ensure users do not paste unexpected markup in Bard fields.

Describe the solution you'd like
A good solution would be a whitelist where specific tags and specific attributes (per tag) can be allowed and everything else is stripped when pasting text.

Describe alternatives you've considered
Via Bard's paste configuration variable we can provide a blacklist of tags to strip from pasted content: https://github.com/yabwe/medium-editor/blob/master/OPTIONS.md#cleantags. This proved imperfect when we found Grammarly markup (<g>) in our content files.
There is also https://github.com/yabwe/medium-editor/blob/master/OPTIONS.md#cleanattrs which strips attributes, but you're not able to allow e.g. href and alt as attributes on a tags but nowhere else.

Additional context
Ideally, it would be possible to define this whitelist in YAML and it would be applied on paste in the browser and also in the fieldtype's process() PHP method.

@sauerbraten

This comment has been minimized.

sauerbraten commented Oct 1, 2018

Adding to what I wrote above, a workaround we use for now is a custom MediumEditor extension that overwrites the official paste extension's cleanPaste function to use https://github.com/punkave/sanitize-html, which supports whitelisting the way we would like to see in Bard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment