Skip to content

✨ feat(clean): report what the sanitizer dropped#557

Merged
gaborbernat merged 1 commit into
tox-dev:mainfrom
gaborbernat:feat/528-sanitize-audit
Jul 7, 2026
Merged

✨ feat(clean): report what the sanitizer dropped#557
gaborbernat merged 1 commit into
tox-dev:mainfrom
gaborbernat:feat/528-sanitize-audit

Conversation

@gaborbernat

Copy link
Copy Markdown
Member

A caller tuning a sanitizer policy could see only the cleaned string, never which tags or attributes the policy removed, so narrowing or widening an allowlist meant guessing. bleach, nh3, and html-sanitizer expose no such report; DOMPurify does, through DOMPurify.removed. 🔍

sanitize_report() (and Sanitizer.sanitize_report()) return the cleaned HTML paired with one Removed record per dropped element or stripped attribute, in the order the walk reached them: Removed(tag="a", attribute="onclick") for a stripped attribute, Removed(tag="script", attribute=None) for a removed, stripped, or escaped element. Clean input gives an empty list.

The audit runs inside the existing C walk. Each drop appends to a caller-owned list only when reporting is on, so the plain sanitize() path pays one NULL check and nothing else. A sanitize-report benchmark gates the reporting path under CodSpeed.

Closes #528

@gaborbernat gaborbernat added enhancement New feature or request area:sanitizer clean() HTML sanitizer labels Jul 7, 2026
A caller tuning a sanitizer policy could see only the cleaned string, never
which tags or attributes the policy removed, so narrowing or widening an
allowlist was guesswork. bleach, nh3, and html-sanitizer expose no such
report; DOMPurify does, through DOMPurify.removed.

sanitize_report() returns the cleaned HTML paired with one Removed record per
dropped element or stripped attribute, in the order the walk reached them. The
C walk appends each drop to a caller-owned list only when reporting is on, so
the plain sanitize() path adds nothing but a NULL check.

Closes tox-dev#528
@gaborbernat gaborbernat force-pushed the feat/528-sanitize-audit branch from 6328d5d to 6c680ad Compare July 7, 2026 02:35
@codspeed-hq

codspeed-hq Bot commented Jul 7, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 61 untouched benchmarks
🆕 1 new benchmark
⏩ 18 skipped benchmarks1

Performance Changes

Benchmark BASE HEAD Efficiency
🆕 test_feature[sanitize-report-spec] N/A 15.2 ms N/A

Comparing gaborbernat:feat/528-sanitize-audit (6c680ad) with main (4f76978)

Open in CodSpeed

Footnotes

  1. 18 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@gaborbernat gaborbernat enabled auto-merge (squash) July 7, 2026 02:54
@gaborbernat gaborbernat merged commit 053eeb2 into tox-dev:main Jul 7, 2026
48 checks passed
@gaborbernat gaborbernat deleted the feat/528-sanitize-audit branch July 10, 2026 18:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:sanitizer clean() HTML sanitizer enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Sanitizer: removed-node audit trail

1 participant