Open emersion opened 4 years ago
What do you have in mind?
I'm not sure what this solution looks like, but whilst this is sanitization for XSS and untrusted HTML I wouldn't be averse to making it sanitize for privacy.
This may be something my proposed code in #61 could be used for, as it would allow a function to transform or remove tokens.
My PR #153 has callback function that will allow you to modify/add/remove attributes of HTML elements with your own business logic before they are parsed by bluemonday.
Sometimes it's desirable to disallow external resources (
<img>
,background: url(…)
, etc), to prevent sanitized HTML from "calling home" (triggering HTTP requests, e.g. using pixel images for tracking purposes). For instance a webmail might want to do this.Would you be interested in adding an API to validate external resources?