Add the URI scheme 'mailto' to the HTML5 whitelist

rrrene / html_sanitize_ex

HTML sanitizer for Elixir

MIT License

271 stars 62 forks source link

Add the URI scheme 'mailto' to the HTML5 whitelist #24

Closed SViccari closed 7 years ago

SViccari commented 7 years ago

Why: The URI scheme 'mailto' is currently being removed when calling HtmlSanitizeEx.html5/1. Example:

HtmlSanitizeEx.html5("<a href=\"mailto:someone@yoursite.com\">Email Us</a>")
iex > "<a>Email Us</a>"

This PR: Allows the 'mailto' URI scheme to remain intact when using the HTML5 scrubber.

rrrene commented 7 years ago

@SViccari Thx! :+1:

rrrene commented 7 years ago

@SViccari Follow-up: I just published v1.3.0-rc1 which contains your PR. It also changes the way white-space is handled. It would be great if you could test this pre-release version :+1:

SViccari commented 7 years ago

@rrrene Thank you for the merge 💛 I'll test v1.3.0-rc1 this week and provide feedback.

rrrene commented 7 years ago

@SViccari Please use v1.3.0-rc2 which some other fixes. Feedback, even a short "Works as expected." is very welcome!

SViccari commented 7 years ago

@rrrene Happy Friday! Sorry for the delay but I had time to test v1.3.0-rc2 today. Everything seems 👍 except for one change. I'm seeing the introduction of ï¼¿. I'm not sure what that is but it looks like it received test coverage here.

In rc-2:

iex(1)> input = "<script>alert()</script> <p>Hi</p>"
iex(2)> input |> HtmlSanitizeEx.html5
"alert() ï½¿ <p>Hi</p>"

Before rc-2:

iex(1)> input = "<script>alert()</script> <p>Hi</p>"
iex(2)> input |> HtmlSanitizeEx.html5
"alert() <p>Hi</p>"

rrrene commented 7 years ago

@SViccari Ahhh, right. I released v1.3.0-rc3 to address this! :+1: