Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Whitelist Footer Element #326

Closed
cjeller1592 opened this issue Jun 18, 2020 · 1 comment
Closed

Whitelist Footer Element #326

cjeller1592 opened this issue Jun 18, 2020 · 1 comment

Comments

@cjeller1592
Copy link
Contributor

@cjeller1592 cjeller1592 commented Jun 18, 2020

Describe the bug

If you publish a post with the footer HTML element, it's stripped from the post.

Context: I am trying to use a web extension's embed feature (Quotebacks) that's code requires the manipulation of the embed's footer. Since the footer gets stripped from the post, the code cannot find the footer and doesn't render properly.

Steps to reproduce (if necessary)

Steps to reproduce the behavior:

  1. Publish a post with a <footer></footer> element
  2. Inspect the post in browser tools
  3. Notice how the footer element in the post is gone

Expected behavior

The footer element should have stayed intact when you inspect the post.

@thebaer
Copy link
Member

@thebaer thebaer commented Jun 22, 2020

Thanks for reporting this! While we're at it, we might as well support the <header> element, too.

This should be a pretty straightforward fix -- simply add:

policy.AllowElements("header", "footer")

in this func:

writefreely/postrender.go

Lines 171 to 184 in 5c94d23

func getSanitizationPolicy() *bluemonday.Policy {
policy := bluemonday.UGCPolicy()
policy.AllowAttrs("src", "style").OnElements("iframe", "video", "audio")
policy.AllowAttrs("src", "type").OnElements("source")
policy.AllowAttrs("frameborder", "width", "height").Matching(bluemonday.Integer).OnElements("iframe")
policy.AllowAttrs("allowfullscreen").OnElements("iframe")
policy.AllowAttrs("controls", "loop", "muted", "autoplay").OnElements("video")
policy.AllowAttrs("controls", "loop", "muted", "autoplay", "preload").OnElements("audio")
policy.AllowAttrs("target").OnElements("a")
policy.AllowAttrs("title").OnElements("abbr")
policy.AllowAttrs("style", "class", "id").Globally()
policy.AllowURLSchemes("http", "https", "mailto", "xmpp")
return policy
}

@cjeller1592 cjeller1592 mentioned this issue Jun 22, 2020
1 of 1 task complete
@thebaer thebaer closed this in #329 Jul 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants
You can’t perform that action at this time.