Closed mdk000 closed 4 months ago
leizongmin
commented
4 months ago Hi, @mdk000 . Thanks for you PR.
I think it might be better to change quotedAttributeValueSyntax: 'single' | 'double' to singleQuotedAttributeValue: true | false. Only when singleQuotedAttributeValue is set to true, the attribute values will be wrapped in single quotes. If singleQuotedAttributeValue is not set or set to false, the attribute values will be wrapped in double quotes as usual.
mdk000
commented
4 months ago @leizongmin thanks for suggestion, I've corrected it, please check
When do you plan to release new version with this feature?
leizongmin
commented
4 months ago @mdk000 I just merged this MR and released a new version xss@1.0.15.
mdk000
commented
4 months ago @leizongmin awesome! thanks
Hi @leizongmin!
First of all thank you for creating this package. We have been using it for sanitizing html and put it inside JSON files. It can be done in two ways:
{ "html": "<a href=\"#\">Hello</a>" }{ "html": "<a href='#'>Hello</a>" }but the default config output is:
{ "html": "<a href="#">Hello</a>" }We would like to use default config and don't create any custom rules via
safeAttrValueoronIgnoreTagAttr, but we need to have single-quoted attribute value syntax for sanitized output. Accodring to whatwg spec, single quoted approach is also valid and supports values containing whitespaces.I've created a PR. Now it's available use new
quotedAttributeValueSyntaxconfig option. Default behaviour left intact so changes can be treated as enhancement.Let me know what you think