Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter external resources #99

Open
emersion opened this issue Jan 16, 2020 · 3 comments
Open

Filter external resources #99

emersion opened this issue Jan 16, 2020 · 3 comments

Comments

@emersion
Copy link

Sometimes it's desirable to disallow external resources (<img>, background: url(…), etc), to prevent sanitized HTML from "calling home" (triggering HTTP requests, e.g. using pixel images for tracking purposes). For instance a webmail might want to do this.

Would you be interested in adding an API to validate external resources?
@buro9
Copy link
Member

buro9 commented Jan 16, 2020

What do you have in mind?

I'm not sure what this solution looks like, but whilst this is sanitization for XSS and untrusted HTML I wouldn't be averse to making it sanitize for privacy.

@jhillyerd
Copy link

This may be something my proposed code in #61 could be used for, as it would allow a function to transform or remove tokens.

@onthegit
Copy link

My PR #153 has callback function that will allow you to modify/add/remove attributes of HTML elements with your own business logic before they are parsed by bluemonday.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@buro9 @emersion @jhillyerd @onthegit and others