Allow regex in attribute whitelist. #3183
Conversation
|
Thanks @nzgrover Is there no support in Loofah to do this? |
|
@nzgrover Could rebase your branch with the latest commit on master ? Thanks! |
|
@parndt I couldn't find anything in loofah's documentation, and there were data-* attributes being removed, but.... EDIT |
|
@bricesanchez no point rebasing until it's passed review 😄 |
|
@parndt my mistakes i was searching something in the wrong file. I thought a rebase will display it.. |
| @@ -32,6 +32,7 @@ module Core | |||
| self.visual_editor_javascripts = [] | |||
| self.visual_editor_stylesheets = [] | |||
| self.plugin_priority = [] | |||
| self.regex_white_list = false | |||
There was a problem hiding this comment.
All configs for SectionPresenter are in the pages/lib/refinery/pages.configuration. I'm in favor to move regex_white_list in Pages and rename it whitelist_regex to match current configs.
Could you add by default your regex?
There was a problem hiding this comment.
I still want to know whether we can support this in Loofah with existing config options
There was a problem hiding this comment.
I think it still use Loofah for the configurations Refinery::Pages::whitelist_elementsand Refinery::Pages::whitelist_attributes but use Rails::Html::PermitScrubber to create the scrubber intead of Loofah::Scrubber
|
@parndt I've had a further look at seeing if we can just use loofah, but as far as I can tell, if you supply attributes then ONLY those attributes explicitly supplied are allowed through. If you don't supply attributes, then the loofah default scrubber is used, which includes a regex to allow all 'data-' attributes. The only way I can think of round it would be to update loofahs default allowed attributes directly, but loofah doesn't provide a way to do so. See this very old issue open regarding this: flavorjones/loofah#14 How do you wish to proceed? |
|
Or what about something (slightly cheeky) like this: master...nzgrover:allow_all_data_attributes No new parameters, just the custom scrubber which skips scrubbing all data- attributes. |
|
@nzgrover I really like that solution.. allowing data- attributes seems sane; we'll need to document this next to the existing config options I think something like: # Note: data- attributes are whitelisted by default. See (link to PR or something)
config.whitelist_attributes = [] |
|
@parndt Ok, shall I put in a new pull request with the allow_all_data_attributes branch? |
|
@nzgrover yes please |
Adds the ability to use a regex in the attribute whitelist. The specific need I have is to allow all 'data-whatever' attributes through.
Just wanted to get the ball rolling with this commit, look forward feedback on improvements or the 'refinerycms' way to do this.