search

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
https://github.com/microcosm-cc/bluemonday
BSD 3-Clause "New" or "Revised" License
3.14k stars 176 forks source link

Allowing comments #95

Closed edvjur closed 3 years ago

edvjur commented 4 years ago

Hi there.

I was looking for the reason why my comments are being sanitized and I found that they are simply ignored by default: https://github.com/microcosm-cc/bluemonday/blob/master/sanitize.go#L228

I bet that for most of the cases comments are not necessary, but in my case, they are essential.

My question is: do you guys think that adding AllowComments method (false by default) is a good, safe idea and is worthy of PR?

edvjur commented 4 years ago

What do you think @buro9?

buro9 commented 4 years ago

If you make a PR and it has test cases showing that comments of are safely handled by an AllowComments(boolean) policy then I'll accept it :smile:

programuotojasgf commented 3 years ago

@buro9 We also need this. Is there any change of mind regarding this?