search

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
https://github.com/microcosm-cc/bluemonday
BSD 3-Clause "New" or "Revised" License
3.08k stars 178 forks source link

Is there a way to allow all URL schemes? #174

Closed yardenshoham closed 1 year ago

yardenshoham commented 1 year ago

Basically something like AllowURLSchemeWithCustomPolicy but for all schemes.

References:

buro9 commented 1 year ago

Today there isn't.

It would probably require the addition of AllowURLSchemesRegexp(r regexp) and then instead of matching a fixed set of strings it would match the regexp. To allow all you'd merely set a regexp to .*.

If you wanted to make a working PR with a test for it, I would accept it.

yardenshoham commented 1 year ago
buro9 commented 1 year ago

Thanks, I've been snowed under with a fairly large incident the last few days, but I've just taken a look and this is great so I'll merge now and will cut a release.