search

apostrophecms / sanitize-html

Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance
MIT License
3.68k stars 349 forks source link

attribute value filter is not supporting wildcard #561

Closed TheFive closed 1 year ago

TheFive commented 1 year ago

To Reproduce

I have simply written a small testfile demonstration:

const sanitizeHtml = require("sanitize-html");

const v = sanitizeHtml("<img src='/wp-content/upload/anicepicture.png'>", {
  allowedTags: sanitizeHtml.defaults.allowedTags.concat(["img"]),
  allowedAttributes: {
    img: [{
      name: "src",
      values: ["/wp-content*"]
    }]
  }
});
console.log(v);

result:

<img src />

Expected behavior

i would expect the given img to be accepted and extended with closing

Describe the bug

given is filtered

Details

Version of Node.js: v16.14.2

Server Operating System: Mac OSX

boutell commented 1 year ago

The documentation doesn't say there is support for wildcards for values, only for attribute names. This is not a bug.

Together with initially allowing any value for the attribute, you could use transformTags to achieve what you want.

TheFive commented 1 year ago

thanks for the answer, i will have a try.