Comments (8)
Override/extend the _sanitizeElements
doesn't seem very good IMO.
Firstly because replacing it with our own code would not be future-proof -- it would break when upgrading to a newer DOMPurify version where that function handles more options/edge cases.
Secondly, extending it like:
var _sanitizeElements = DOMPurify._sanitizeElements;
DOMPurify._sanitizeElements = function(currentNode) {
//do stuff before _sanitizeElements
var ret = _sanitizeElements.apply(this, arguments);
//do stuff after _sanitizeElements
return ret;
};
Is not useful for the use case of keeping the text nodes of removed elements, because the node removal happens inside of that method.
Maybe if you can abstract this node removal into a _removeNode
API which we can override, then we should be able to move the children nodes out of the element being removed. I'm not sure how well that binds with the rest of the library though, it would be more future-proof to have a tested option for that behavior.
from dompurify.
Hm, it's not easy. Let's get back to the original requirement: A user wished to remove links but keep the text. In this particular situation, I would recommend to simply remove the href attributes, done. This covers anchors wrapping normal text and well as anchors wrapping complex rich-text.
Before we dive into creating APIs and tweak the core: What other use-cases could be there? When else would one want to remove the tag but keep the text?
from dompurify.
Well, let's take this Github Markdown editor for instance.
If you input <span style="color:red">text</span>
it simply outputs text
.
Considering markdown sanitizers, it is common practice to remove disallowed tags keeping their text content. Of course this doesn't apply to the <script>
tag.
from dompurify.
I created a branch KEEP_CONTENT and started playing with insertAdjacentHTML
which might actually give us exactly what's wanted in case it's set to AfterEnd
and the node-removal happens right after the insertion.
Currently, I have to wrap the new code in a try/catch which I don't really like; on Blink, not all nodes allow insertion AfterEnd
as they require a valid parent node and if this is not the case the insertion fails. So it's not optimal yet but maybe a step in the right direction. Feedback of course appreciated.
In this branch, for quick testing purposes, I removed <a>
from the list of permitted elements and set KEEP_CONTENT
to true
.
from dompurify.
Oh nice work!
I'm working on some killer deadlines and I'm not as experienced in HTML sanitizing/browser DOM quirks as you guys, so I can't really make meaningful contributions at the moment.
from dompurify.
The tests are so far green so I am optimistic. I'll merge later on and close the ticket. Thx :)
from dompurify.
Minor bikeshed: IMHO PRESERVE_CONTENT
is a better name than KEEP_CONTENT
.
from dompurify.
Denied, KEEP_CONTENT
says the same and is shorter :)
from dompurify.
Related Issues (20)
- when using bypasssecurityTrustHtml mthod to render template HOT 3
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method HOT 2
- Use lower case for bower package name HOT 1
- Uncertain how to handle 'non-standard' HTML HOT 3
- Need to block external calls, e.g. all HTTP requests HOT 7
- Why does name="name" on an input field get purified? HOT 1
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method #947 HOT 3
- Latest versions of DOMPurify 2.5.x block custom SVG elements when they are set via ADD_TAGS config. HOT 6
- release 3.1.3 assets are the same as 3.1.2 HOT 1
- Number.isNaN is not supported in MSIE HOT 15
- Bower issues : DOMPurify is not defined HOT 5
- HTML and BODY tags are being regardless of `ALLOWED_TAGS` settings HOT 2
- MAX_NESTING_DEPTH remove contents issue HOT 5
- Escape unsafe characters instead of removing them HOT 3
- The MAX_NESTING_DEPTH remove contents issue has not been resolved. HOT 3
- A code comment containing a tag name structure leads to removal of the entire block HOT 2
- Issue secure [email protected] Apache-2.0 + Fair + MPL-2.0 HOT 1
- KEEP_CONTENT remove contents of all ALLOWED_TAGS HOT 2
- <img> xss vulnerability
- MathML Content Markup Removed HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dompurify.