Is there any reason for excluding controls attribute on audio element from whitelist?

flavorjones / loofah

Ruby library for HTML/XML transformation and sanitization

MIT License

934 stars 137 forks source link

Open dotneet opened 6 years ago

dotneet commented 6 years ago

I can't find the vulnerability on controls attribute. any reason for excluding it from whitelist?

flavorjones commented 6 years ago

Noting here for posterity that this would be addressed by #155 if we used DOMPurify's allowlists.

flavorjones commented 6 years ago

(Assuming you mean the SVG audio element?)