Warnings mode? about dompurify HOT 10 CLOSED

That makes a lot of sense. How should the warning mode work? With console logging? Or rather a DOM object being returned? Or a map of matched elements and attributes?

from dompurify.

I think anything that will tell me "list of things that DOMPurify would
have removed" would be good. Since this is very clearly something for
logging which will then go to the server and be collected across all
instances, I think we should optimize for that use case. So, e.g., a string
format is fine.

Maybe lets play with concrete examples? I think just an array of elements
and attributes that would have been cleansed would be enough for my use
case right now.

On 22 July 2015 at 02:36, Cure53 [email protected] wrote:

That makes a lot of sense. How should the warning mode work? With console
logging? Or rather a DOM object being returned? Or a map of matched
elements and attributes?

—
Reply to this email directly or view it on GitHub
#84 (comment).

from dompurify.

That should indeed be super-easy with a simple hook. No need to touch the core. A PR for a demo hook would be very welcome :)

from dompurify.

hah! I was worried you would say that. Ok, I should really learn how to
write hooks: seems all my feature requests end the same way :)

On 22 July 2015 at 13:03, Cure53 [email protected] wrote:

That should indeed be super-easy with a simple hook. No need to touch the
core. A PR for a demo hook would be very welcome :)

—
Reply to this email directly or view it on GitHub
#84 (comment).

from dompurify.

That's why we created that API :)

from dompurify.

hmm .. I looked a bit into how I would write the hook as a theoretical exercise and, maybe I am missing something, but there doesn't seem to be an event that is only called if the current attribute or element will be removed. For example, for the string hi (as far as I can tell), the uponSanitizeAttribute hook is called for onclick as well as data-foo. Is there some trick I am missing?

from dompurify.

You can for example use beforeSanitize and afterSanitize. In the first hook you create a map of elements that exist. In the second, you have all elements that remain. That gives you all info you need to return a map of elements that were removed.

As I understand, you would want to permit anything anyway. And only find out what would be removed. So, you wouldn't even touch the original string, correct?

from dompurify.

Any assistance needed with the hook? Otherwise I'd love to close this one as I believe the intended functionality is available with the core-feature set.

from dompurify.

lets close this out; when I start implementing hook, I will reopen or email with issues.

from dompurify.

Perfect, thanks!

from dompurify.