Add `<summary>` to default whitelist

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist

http://jsxss.com

Other

5.19k stars 630 forks source link

Add `<summary>` to default whitelist #216

Closed spacegaier closed 3 years ago

spacegaier commented 3 years ago

Since <details> is in there, it makes sense for <summary> as well since that is used inside <details> to define the text label/title for the collapsible element.

See example: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/details

spacegaier commented 3 years ago

@leizongmin Thank you for merging it in 👍 . Do you plan to release a new minor version with the current batch of merges so we can pull in the new version into other projects?

leizongmin commented 3 years ago

Yes, I will publish a new version later.

spacegaier commented 3 years ago

@leizongmin I noticed that this chore commit removed summary again: https://github.com/leizongmin/js-xss/commit/1f0f0b6343028639b60a4cdd998950caf719363b

leizongmin commented 3 years ago

I have published a new version xss@1.0.9 including the following changes:

Fix whitespace bypass #218 by @TomAnthony
Add <summary> to default whitelist #216 by @spacegaier
Add <figure> and <figcaption> to default whitelist by @daraz999
Add <audio crossorigin muted>, <video crossorigin muted playsinline poster> to default whitelist
Add <strike> to default whitelist
Fix: typings IWhiteList allow any tag name
Fix: typings onTag options

spacegaier commented 3 years ago

@leizongmin Thank you for the new version! Will directly get on pulling that into Home-Assistant 👍.

Could you also mark a release here on GitHub? Then people can easily compare the changes.

EDIT: NVM, you just created it 30 seconds ago. Great!

leizongmin commented 3 years ago

https://github.com/leizongmin/js-xss/releases/tag/v1.0.9