search

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
http://jsxss.com
Other
5.19k stars 630 forks source link

Whitelist a tag with any attribute #214

Closed AdrianNeatu closed 3 years ago

AdrianNeatu commented 3 years ago

Is there a way to whitelist a tag with any attribute? From what I see, now, I have to specify all attributes I want for a tag in whitelist.

gaoyaoman commented 3 years ago

Is there a way to whitelist a tag with any attribute? From what I see, now, I have to specify all attributes I want for a tag in whitelist.

Convenience must sacrifice safety.

AdrianNeatu commented 3 years ago

@gaoyaoman but does it? :) you speak like someone who didn't have to whitelist SVG embeding .... I would've hope for something like whitelist : { svg: '*'} (for all svg inner tags of course) Or something like that.

leizongmin commented 3 years ago

You can try to setup a custom onIgnoreTagAttr function to allow any attributes, ref: https://github.com/leizongmin/js-xss/#customize-the-handler-function-for-attributes-not-in-the-whitelist

Here is an example: https://github.com/leizongmin/js-xss/issues/118#issuecomment-352865144