Skip to content
This repository has been archived by the owner on Apr 4, 2019. It is now read-only.

consider whitelist for safe protocols #406

Open
stefanpenner opened this issue Aug 19, 2015 · 3 comments
Open

consider whitelist for safe protocols #406

stefanpenner opened this issue Aug 19, 2015 · 3 comments

Comments

@stefanpenner
Copy link
Collaborator

htmlbars/packages/morph-attr/lib/sanitize-attribute-value.js

Line 5 in 3035edf

'vbscript:': true

@neraliu
Copy link

neraliu commented Nov 1, 2015

@stefanpenner, I have a more comprehensive list of tags and attributes those are regarded as unsafe for URI context, i can help out for creating a PR for this feature.
https://github.com/yahoo/xss-filters/blob/master/src/xss-filters.js#L58 (tag names)
https://github.com/yahoo/secure-handlebars/blob/master/src/parser-utils.js#L31 (attributes name)

@neraliu neraliu mentioned this issue Nov 30, 2015
Open
@stefanpenner
Copy link
Collaborator Author

@neraliu i wonder if we should make the blacklist/whitelist a common node_module, that way test/auditing/sharing is more centralized. Does this seem possible?

@neraliu
Copy link

neraliu commented Jan 5, 2016

@stefanpenner yes we can make it as a standalone npm module for testing/auditing/sharing. and I am wondering what is the default behavior of the htmlbars when it encounters URI context, blacklist or whitelist? what general developers are expecting?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stefanpenner @neraliu