Add url prefix for tags such as `a`, `img` and `iframe`

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS

https://github.com/microcosm-cc/bluemonday

BSD 3-Clause "New" or "Revised" License

3.08k stars 178 forks source link

Add url prefix for tags such as `a`, `img` and `iframe` #166

Closed zyxkad closed 1 year ago

zyxkad commented 1 year ago

I want to rewrite the relative urls that such as img and a, since I fetched the markdown from other website, but bluemonday seems only have option to block or allow them? Is there any chance that you can impl it?

I don't want parse the html again. It will be slower and harder.

buro9 commented 1 year ago

No, it's not clear how this would be done or what the API would look like. Worse though, transformations are best done as a step prior to sanitization and attempting to perform a transformation during sanitization would introduce risk that we aren't sanitizing correctly which would defeat the value in this library.

It is true that some transformations are done by this library (i.e. the addition of rel="nofollow" but these are extremely few and very well defined and are not operating on the input). I would not expand the use of these to transform a URL unless it could be proven to be safely done.

zyxkad commented 1 year ago

I would not expand the use of these to transform a URL unless it could be proven to be safely done.

I think if bluemonday always operate url after the url rewrited, it will be safe, isn't it?

zyxkad commented 1 year ago

transformations are best done as a step prior to sanitization

No, it isn't. That mean I should parse the html twice, it will be slower 100%