buro9
commented
1 year ago This will not be changed in this project. The only way to be default safe is to build an allow list.
If a cosmetic thing is needed, rather than a security thing, then a different project should be created to achieve the inverse of this one. That is: to iterate through HTML and not output something on a block list.
It seems that sanitization is working according to an allow list So basically everything is forbidden Is there a way to turn it around, i know it is less safe But in my case i would like to only remove iframes and scripts And leave all other elements (I can today with a regex) and attributes (couldn't find a way) in place ?