Comments (10)
That makes a lot of sense. How should the warning mode work? With console logging? Or rather a DOM object being returned? Or a map of matched elements and attributes?
from dompurify.
I think anything that will tell me "list of things that DOMPurify would
have removed" would be good. Since this is very clearly something for
logging which will then go to the server and be collected across all
instances, I think we should optimize for that use case. So, e.g., a string
format is fine.
Maybe lets play with concrete examples? I think just an array of elements
and attributes that would have been cleansed would be enough for my use
case right now.
On 22 July 2015 at 02:36, Cure53 [email protected] wrote:
That makes a lot of sense. How should the warning mode work? With console
logging? Or rather a DOM object being returned? Or a map of matched
elements and attributes?—
Reply to this email directly or view it on GitHub
#84 (comment).
from dompurify.
That should indeed be super-easy with a simple hook. No need to touch the core. A PR for a demo hook would be very welcome :)
from dompurify.
hah! I was worried you would say that. Ok, I should really learn how to
write hooks: seems all my feature requests end the same way :)
On 22 July 2015 at 13:03, Cure53 [email protected] wrote:
That should indeed be super-easy with a simple hook. No need to touch the
core. A PR for a demo hook would be very welcome :)—
Reply to this email directly or view it on GitHub
#84 (comment).
from dompurify.
That's why we created that API :)
from dompurify.
hmm .. I looked a bit into how I would write the hook as a theoretical exercise and, maybe I am missing something, but there doesn't seem to be an event that is only called if the current attribute or element will be removed. For example, for the string hi (as far as I can tell), the uponSanitizeAttribute hook is called for onclick as well as data-foo. Is there some trick I am missing?
from dompurify.
You can for example use beforeSanitize
and afterSanitize
. In the first hook you create a map of elements that exist. In the second, you have all elements that remain. That gives you all info you need to return a map of elements that were removed.
As I understand, you would want to permit anything anyway. And only find out what would be removed. So, you wouldn't even touch the original string, correct?
from dompurify.
Any assistance needed with the hook? Otherwise I'd love to close this one as I believe the intended functionality is available with the core-feature set.
from dompurify.
lets close this out; when I start implementing hook, I will reopen or email with issues.
from dompurify.
Perfect, thanks!
from dompurify.
Related Issues (20)
- Question about Sanitize Css Hook example HOT 5
- Question about sanitizing HTML content with WHOLE_DOCUMENT option HOT 3
- Meta/Header Data Strips HOT 2
- [bag] - build error in react app
- Potential for XSS exploit through data uri HOT 7
- +1 (786) 263-2714
- Enhancement: Automatic Isolation of Hook Contexts in DOMPurify to Prevent State Leakage Between Sanitizations HOT 2
- Questions about what exactly is in the default configuration? HOT 1
- [bug] Breaking changes with tag matching (_isBasicCustomElement) in 3.0.10 HOT 3
- Release assets bug 3.0.11 HOT 1
- Removal of <textarea> `wrap` attribute HOT 3
- Question about using DOMPurify for a tricky usecase. HOT 8
- Question regarding DOMPurify ADD_TAGS is not allowing <script> tag HOT 7
- n
- Title: Sanitization removes valid iframe attributes and changes attribute order HOT 8
- Fix for bug in demo hooks-sanitize-css-demo.html HOT 3
- Sanitization Issue: Comments Removed Despite ADD_TAGS Configuration HOT 8
- Sanitization Issue with DomPurify HOT 3
- New release v3.1.0 (not in releases) HOT 1
- How do I use the API provided by DomPurify to verify the SVG file is it risky? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dompurify.