search

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
https://github.com/microcosm-cc/bluemonday
BSD 3-Clause "New" or "Revised" License
3.14k stars 176 forks source link

Filter external resources #99

Open emersion opened 4 years ago

emersion commented 4 years ago

Sometimes it's desirable to disallow external resources (<img>, background: url(…), etc), to prevent sanitized HTML from "calling home" (triggering HTTP requests, e.g. using pixel images for tracking purposes). For instance a webmail might want to do this.

Would you be interested in adding an API to validate external resources?

buro9 commented 4 years ago

What do you have in mind?

I'm not sure what this solution looks like, but whilst this is sanitization for XSS and untrusted HTML I wouldn't be averse to making it sanitize for privacy.

jhillyerd commented 4 years ago

This may be something my proposed code in #61 could be used for, as it would allow a function to transform or remove tokens.

onthegit commented 1 year ago

My PR #153 has callback function that will allow you to modify/add/remove attributes of HTML elements with your own business logic before they are parsed by bluemonday.