Allow Liquid syntax in specific attribute, such as href #660
Replies: 4 comments
-
|
If it's not valid HTML, then generally speaking it will not be supported. However you might want to give some specific examples in case it's actually valid HTML in this use case and just getting escaped in a way that is excessive to the requirements of valid HTML, or something. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the reply @boutell - Here's an example of a link with Liquid: <a href="http://example.com/page?param={{ "value1&value2" | url_encode }}">Link |
Beta Was this translation helpful? Give feedback.
-
|
OK, thanks. This involves unescaped quotes inside the attribute quotes, which is not valid HTML, so it is out of scope for sanitize-html. |
Beta Was this translation helpful? Give feedback.
-
|
(Liquid is basically Nunjucks is basically Twig is basically Jinja, which is a rather large forest of similar template languages, so it's possible someone else has written a validator / sanitizer for untrusted code in this syntax. We actually support Nunjucks in Apostrophe, for which sanitize-html was created, but we don't let editors create template code, just rich text, so this hasn't been on our particular company's roadmap.) |
Beta Was this translation helpful? Give feedback.
-
We use sanitize-html for our HTML inputs, but our customers want to mix in liquid syntax. We have a workaround to allow it inside of tags, such as
<div>, but the URL encoding prevents using Liquid syntax, such as '&' in links. We'd like to be able to disable sanitizing inside of specific locations, such as was granted for styles. Or, we'd like to disable URL encoding. Would something like we're describing defeat the purpose of sanitizing entirely, or could it be reasonable?Beta Was this translation helpful? Give feedback.
All reactions