Open rebeccahum opened 3 years ago
As far as I understood, it's not about the attribute name (like href
), but about declaring allowed values or value patterns?
I've been working on a DOM-base sanitizer for HTML, recently - it seems some concepts could be reused here as well to introduce custom Behavior
. Please have a look to the example at https://github.com/typo3/html-sanitizer#example--api
$hrefAttr = (new Behavior\Attr('href'))
->addValues(new Behavior\RegExpAttrValue('#^https?://#'));
... would allow to declare an expected prefix, e.g. https://
or data:image/.+
$hrefAttr = (new Behavior\Attr('href'))
->addValues(new Behavior\ ClosureAttrValue(function (string $value): bool) {
// custom logic, decoding base64 string, check mime-type
return true; // in case everything is fine - otherwise reject with `false`
});
... would allow to declare individual handling and delegate to some other service implementation
Just wanted to share my ideas on that topic... 😉
Interesting, so I guess you're looking for a way to filter the isHrefSafeValue()
method?
I think that could be a good addition, my concern was always that people could allow things without having context on why they're not allowed by default. I'll have a look into this.
@ohader I'd love to hear more about that, do you have that code anywhere that I can look into?
I'm a bit confused -- when I use the project author's online demo at https://svg.enshrined.co.uk/ , your code comes through fine. What am I missing?
Since I don't think this is currently possible, it would be nice to be able to be able to use
setAllowedAttrs()
to detect a starting pattern inside ahref
attribute likedata:image/*
.e.g. This gets false positive flagged: