Cannot remove hook about dompurify HOT 7 CLOSED

That's a good point, thanks!

So, in our current model, the hooks can be stacked. If someone adds a hook (using addHook()) for a certain event, let's say 'afterSanitizeAttributes' then it will execute first. If another hook is added, it executes second, and so on.

Would a simple implementation of removeHook() do, that simply removes hooks from the stack? What model would you think makes sense here? FIFO or LIFO?

from dompurify.

I've handled my specific usecase by also managing state globally like so:

https://github.com/whiteout-io/mail-html5/blob/09afa8b95103c7254b2af50583f2e5ced1876a78/src/js/controller/app/read-sandbox.js#L3-L32

This works for me since I have relatively simple code in a sandboxed iframe. But that is obviously not desirable in a large application context where global member can cause problems.

Would a simple implementation of removeHook() do, that simply removes hooks from the stack? What model would you think makes sense here? FIFO or LIFO?

To be honest the most flexible solution would be to just configure the hooks each time DOMPurify.sanitize() is called. When sanitize is finished the hooks are flushed by DOMPurify and must be reinitialized for the next invocation of sanitize(). That was my naive understanding when I looked at your api documentation at least.

from dompurify.

Hmm, I disagree. I think, that when a hook is added, it is expected to stay. A flush not expected by everyone could have far more negative consequences than the lack thereof.

I'd be happy to look into the implementation of removeHook(), be it FIFO or LIFO. But an implicit flush is not an option right now. Unless you convince me otherwise ;)

from dompurify.

I'd be happy to look into the implementation of removeHook(), be it FIFO or LIFO.

Alright. Sounds good to me.

from dompurify.

I added some code for review. Would that do in your case?

753053b

from dompurify.

Would that do in your case?

Yes it would. I would probably use the new removeAllHooks api to clear the global state before each go. That way I can configure and sanitize in one local function and do not have to manage global state.

Thanks for the quick fix!

from dompurify.

Excellent, thx. Closing this for now then.

from dompurify.