Closed tuomassalo closed 2 years ago
I actually agree that this is a bug, in that in a context where src="https://foo..."
is permitted, src="//foo...
should also be permitted. So while allowing src
on script
isn't really one of our own frequent use cases, A PR would be welcome.
You could start with a PR containing a failing test.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Hi! I'm using this package for naïve prettification of user-supplied HTML data, instead of sanitizing naughty inputs.
(Yes, I'm aware this might be somewhat out of the scope of the package. But then again,
allowedTags:false
is already there...)With 1.x I could use:
to allow passing though
<script src="[whatever]"></script>
, but I fail to find how to do that with the current version.What works:
<script src="https://example.com"></script>
and<script>alert(1)</script>
are passed through as-is, as expected.What doesn't work:
<script src="//example.com"></script>
becomes<script></script>
, and so does<script src="foo.js"></script>
.I'm now abusing
transformTags
to prependhttps:
to protocol-relative urls, but that's hacky.Any ideas on whether there is a way to allow any
src
value in ascript
tag?