Comments (7)
That's a good point, thanks!
So, in our current model, the hooks can be stacked. If someone adds a hook (using addHook()
) for a certain event, let's say 'afterSanitizeAttributes' then it will execute first. If another hook is added, it executes second, and so on.
Would a simple implementation of removeHook()
do, that simply removes hooks from the stack? What model would you think makes sense here? FIFO or LIFO?
from dompurify.
I've handled my specific usecase by also managing state globally like so:
This works for me since I have relatively simple code in a sandboxed iframe. But that is obviously not desirable in a large application context where global member can cause problems.
Would a simple implementation of removeHook() do, that simply removes hooks from the stack? What model would you think makes sense here? FIFO or LIFO?
To be honest the most flexible solution would be to just configure the hooks each time DOMPurify.sanitize() is called. When sanitize is finished the hooks are flushed by DOMPurify and must be reinitialized for the next invocation of sanitize(). That was my naive understanding when I looked at your api documentation at least.
from dompurify.
Hmm, I disagree. I think, that when a hook is added, it is expected to stay. A flush not expected by everyone could have far more negative consequences than the lack thereof.
I'd be happy to look into the implementation of removeHook()
, be it FIFO or LIFO. But an implicit flush is not an option right now. Unless you convince me otherwise ;)
from dompurify.
I'd be happy to look into the implementation of removeHook(), be it FIFO or LIFO.
Alright. Sounds good to me.
from dompurify.
I added some code for review. Would that do in your case?
from dompurify.
Would that do in your case?
Yes it would. I would probably use the new removeAllHooks
api to clear the global state before each go. That way I can configure and sanitize in one local function and do not have to manage global state.
Thanks for the quick fix!
from dompurify.
Excellent, thx. Closing this for now then.
from dompurify.
Related Issues (20)
- Uncertain how to handle 'non-standard' HTML HOT 3
- Need to block external calls, e.g. all HTTP requests HOT 7
- Why does name="name" on an input field get purified? HOT 1
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method #947 HOT 3
- Latest versions of DOMPurify 2.5.x block custom SVG elements when they are set via ADD_TAGS config. HOT 6
- release 3.1.3 assets are the same as 3.1.2 HOT 1
- Number.isNaN is not supported in MSIE HOT 15
- Bower issues : DOMPurify is not defined HOT 5
- HTML and BODY tags are being regardless of `ALLOWED_TAGS` settings HOT 2
- MAX_NESTING_DEPTH remove contents issue HOT 5
- Escape unsafe characters instead of removing them HOT 3
- The MAX_NESTING_DEPTH remove contents issue has not been resolved. HOT 3
- A code comment containing a tag name structure leads to removal of the entire block HOT 2
- Issue secure [email protected] Apache-2.0 + Fair + MPL-2.0 HOT 1
- KEEP_CONTENT remove contents of all ALLOWED_TAGS HOT 2
- <img> xss vulnerability
- MathML Content Markup Removed HOT 2
- Policy creator HOT 2
- name='lang' Attribute Removed During Sanitization HOT 1
- DOM Purify Allows onfocus events HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dompurify.