consider whitelist for safe protocols

tildeio / htmlbars

A variant of Handlebars that emits DOM and allows you to write helpers that manipulate live DOM nodes

MIT License

1.6k stars 193 forks source link

consider whitelist for safe protocols #406

Open stefanpenner opened 9 years ago

stefanpenner commented 9 years ago

https://github.com/tildeio/htmlbars/blob/3035edf9f5505e93340273d0cf561c4853e84557/packages/morph-attr/lib/sanitize-attribute-value.js#L5

neraliu commented 9 years ago

@stefanpenner, I have a more comprehensive list of tags and attributes those are regarded as unsafe for URI context, i can help out for creating a PR for this feature. https://github.com/yahoo/xss-filters/blob/master/src/xss-filters.js#L58 (tag names) https://github.com/yahoo/secure-handlebars/blob/master/src/parser-utils.js#L31 (attributes name)

stefanpenner commented 8 years ago

@neraliu i wonder if we should make the blacklist/whitelist a common node_module, that way test/auditing/sharing is more centralized. Does this seem possible?

neraliu commented 8 years ago

@stefanpenner yes we can make it as a standalone npm module for testing/auditing/sharing. and I am wondering what is the default behavior of the htmlbars when it encounters URI context, blacklist or whitelist? what general developers are expecting?