Force html attribute to specific values about bluemonday HOT 8 CLOSED

👍

from bluemonday.

Interesting.

Do you have examples of other attributesand the values so that I can use those in tests and also understand things better.

I guess I want to know if there are any scenarios in which the value should be dynamically determined, or whether it is always static. If it is dynamic, what are the inputs to that decision?

from bluemonday.

hrm, on second thought, most of what I can think of is altering user input to match certain criteria, mostly for better rendering. I'm not certain it falls in the purview of this library, as it isn't strictly sanitization. For instance, my current use is to force tables to have a .table class. Not strictly required, but as I use bootstrap for styling, would result in much improved table styling. I looked through the code some for where the rel="nofollow" happens, and there is a bit of logic to verify stuff like "is there a href" and that kind of thing. I'm not sure that it can be replaced without going to a callback style system, and I'm not really sure that's a good idea. I think the best option may be for me to spin my ideas out into another library that is more suited for "massaging" html like this, as one of my desires is to configure these things from a json file, so that themes could have their own settings.

from bluemonday.

Actually I think that's a great example. I've wanted that too in the past and can see that it would be useful and that the logic behind it would be fairly simple.

I'm tempted to add this in a different way, as perhaps something like Ensure(func callback) and then variants on that which have helper functions for value validation, i.e. EnsureClass(string className) and EnsureAttribute(string attrName, string attrValue).

I'd need to do some thinking about EnsureAttribute, and where this logic goes... these kind of functions would need to be applied before the actual security logic.

Cool, let me stew on this and I'll figure out the best way to embrace this kind of feature.

I'm fine with adding things so long as security is never impacted and performance isn't impacted by those not using this function. This meets both of those requirements so I'm happy to add.

from bluemonday.

lol, and here I was about to start a new project. I had even picked out a name: GreenTuesday. btw, where did the name bluemonday come from?

on the EnsureAttribute thing, I'm of mixed opinion on before or after security logic. I can see that you could really easily inject bad stuff using them, but I can also see many complications as a result. Another example is a rather specific use case for my wiki:

I want links that don't actually have a page to render as red, but that requires checks for page existence and adding a class to nonexistant links. I don't really want to allow arbitrary classes to the links, but now I have to add at least a .Matching() to the class attr on the anchor tag. Once I do that, there's no reason that people couldn't put that class on every link in the page. Not really a "bad" thing, but undesired. If the ensure stuff was done after security logic, then you wouldn't have to worry. Another case is adding custom styles dynamically, for doing stuff like building custom progress bar things out of divs with custom width: styles. Simple, until you try to pass the style through the security filter.

from bluemonday.

BlackFriday is the Markdown lib for Go, and comes from "The best markdowns happen on Black Friday". This lib was originally written to be used alongside BlackFriday for HTML sanitisation, and so I was trying to think of a name to compliment it... I like the band New Order, so Blue Monday came to mind as the name as it follows the ColourDay convention. I tend to think I should have just called the lib "HtmlClean" or something dull, but at least not being so practical allows me to consider features like this that prevent the need for multiple overlapping libs of similar functionality to be used (this irks from a performance perspective... I'd rather add the features).

I think some of what you are describing is best done on the client (where the page is fully rendered and the display state and DOM is truly known).

For the example of "I'm using this CSS framework (or JavaScript framework) and require all TABLE tags to have a .table class"... then my adding it to bluemonday makes total sense. Beyond those kinds of scenarios, then client-side makes more sense.

As soon as we're in anything more complex I wouldn't necessarily presume that the server logic is complete... but then, you know your web app and I don't.

How about something like this for now:

Policy.EnsureClass(string).OnElements()

And:

Policy.EnsureClass(string).If(func(HtmlElement) bool).OnElements()

The latter would give you the element and you'd return true if it matched some requirement.

This would allow me to defer thinking about how attributes work in all other cases and just focus on the class attribute for now.

from bluemonday.

heh, well, I hate doing stuff in javascript if I can possibly avoid it. Good news is, those 2 examples cover all the realistic usecases that I can see for right now.

from bluemonday.

I'm going to close this unresolved.

I've ummed and ah'd over it but aside from the optimisation of doing it all in this pass of the HTML, I cannot convince myself that extending bluemonday in this way doesn't open a can of worms that is making bluemonday do more than the thing it is supposed to do, which is sanitise content.

from bluemonday.