search

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
https://github.com/microcosm-cc/bluemonday
BSD 3-Clause "New" or "Revised" License
3.12k stars 176 forks source link

How to disallow attr? #130

Closed Lolioy closed 2 years ago

Lolioy commented 3 years ago

I want to disallow some attrs on elements, How to do

clarencefoy commented 2 years ago

Attributes are disallowed by default, therefore, what you are actually going to have to do is enable them specifically. If you can add some details to your question, I'll try to add more information.

buro9 commented 2 years ago

@clarencefoy is correct... the approach bluemonday takes is to default deny everything... and then to selectively allow what you want to allow.

@Lolioy I'm going to guess that you're using UGCPolicy() which is defined in policies.go. Feel free to copy that func into your own code base (no need to fork this repo, etc) and then remove from that anything you didn't want to allow.

The UGCPolicy is there to provide a safe example that works well in the majority of cases, but it's not a perfect fit for everyone in which case use it as an example of how to build a policy that works perfectly for you.