Open klemay opened 4 years ago
From Slack: It seems that we rely on DOMPurify for sanitization, and I'm not finding an ALLOWED_TAGS list in our code, so this would require some research to figure out what gets through.
We trust DOMPurify's default configuration, which allows most purely presentational elements (ie. those which don't trigger execution of code, loading of custom CSS or loading of embedded plugins or documents).
Looks like there's a demo we can play around with - might be worth looking into whether we can find a list somewhere though: https://cure53.de/purify
There's a fairly straightforward way to test this. Make (or find) a chunk of HTML that uses every imaginable tag, put it into the annotation editor, and see what survives.
That would be really useful, actually.
Discussed in Slack: https://hypothes-is.slack.com/archives/C07NXBDNW/p1571964864005600?thread_ts=1571960978.002500&cid=C07NXBDNW