Consider allowing different valid protocols to be applied to specific elements->attributes.

[lread]

Thanks!

First and foremost, thanks so much for creating the java-html-sanitizer. Such a nice and useful contribution to the open-source world!

My Question

I'm not sure if this is a valid, or merely a newbie, question. My apologies if it is the latter.

I'm experimenting with implementing a policy that restricts URL protocols differently for different HTML elements->attributes.

As far as I can tell, the default support is applying allowed URL protocols globally. Is that right?

For example, can I somehow use allowUrlProtocols to express that I'd like to:

• allow http, https and mailto for href on a elements,
• but only allow http and https for src on img elements?

Maybe this is not an interesting thing to do, I'm not sure. I got the idea that it might be interesting when looking at the html-pipeline sanitization filter.

[lread]

Aha! It was a newbie question!

For my above use case, I now see that I can

• first open the protocol gates via an allowUrlProtocols or allowStandardUrlProtocols
• then use allowAttributes (on for example href)
• then refine by a matching with FilterUrlByProtocolAttributePolicy which specifies the protocols I'd like to allow (for example http, https and mailto)
• then apply to elements via onElements (for example a).

Which allows me to express my use case nicely.