Allow Popover API attributes

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

https://cure53.de/purify

Other

13.77k stars 708 forks source link

Allow Popover API attributes #957

Closed Gigabyte5671 closed 4 months ago

Gigabyte5671 commented 4 months ago

Summary

This PR adds the new attributes from the Popover API to the list of allowed HTML attributes. This includes:

popover
popovertarget
popovertargetaction

These attributes are used to identify popover elements and control their behaviour. I don't believe they can be used to trigger scripts in any way, but please let me know if I'm wrong.

Thanks!

Background & Context

This API is quite new, but support for it is already estimated at ~84% (caniuse).

cure53 commented 4 months ago

Thanks, we should be fine with those as far as I can see, time will tell.