-
-
Notifications
You must be signed in to change notification settings - Fork 137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
explore using DOMPurify's allowlists #155
Comments
Links:
|
Here are the diffs (assuming my PR cure53/DOMPurify#309 will be accepted to correct misspellings). "removal" reflects something allowed today that would not be allowed with DOMPurify's allowlist. "addition" reflects something not allowed today that would be allowed with DOMPurify's allowlist.
|
This is a pretty big changeset. I'm curious if anybody has objections to moving to it? |
Notable conflicts:
|
DomPurify does not allow |
The little work I did on this is on branch https://github.com/flavorjones/loofah/tree/155-use-dompurify-safelists |
We looked at this but the branch no longer works because node is a bit strange. Cannot load the |
DOMPurify appears to be well-maintained and has an up-to-date allowlist. Explore using those allowlists instead of the HTML5lib-derived lists currently used by Loofah.
IS_ALLOWED_URI
to allowlist protocolsallowlist
label)Whitelist
in preference toAllowlist
, exploring how to do so without totally breaking monkeypatches people may have made to Loofah's allowlists.The text was updated successfully, but these errors were encountered: