How do I only allow tagged html #645
Comments
ViteOrder
changed the title
|
I'm confused. Can you provide an example where you show user input, expected behavior, and actual behavior? |
|
It sounds like you want to discard the text of tags that are not allowed, as opposed to just stripping the tags themselves. Normally in HTML sanitization it makes more sense to just strip the tags because this preserves as much user content as is allowed. Also, what should happen to an allowed tag inside a disallowed tag? In principle an option to completely discard the content of a disallowed tag is possible, but we should think about whether it makes sense. Perhaps what you really want is to be able to list specific tags that should be discarded along with their contents. While others would be tolerated, for instance if you don't want people using the |
|
You might also look at the existing transform options. |
A user sends this as their SEO tags The title tag isnt allowed, so it gets sanitized to this which gets rendered visually as text
Doing what @boutell was talking about would keep people from accidentally doing this, but wouldn't stop them from doing it on purpose |
|
This is an edge case, in that I can think of few other situations that call
for it, but it is certainly a valid HTML-related edge case; a pull request
for an option to *completely* discard disallowed tags with all of their
contents would be fine as long as it comes with unit tests.
…On Fri, Feb 2, 2024 at 3:54 PM ViteOrder ***@***.***> wrote:
I'm confused. Can you provide an example where you show user input,
expected behavior, and actual behavior?
A user sends this as their SEO tags
<title>My post</title>
<meta name="description" content="A post about a thing">
The title tag isnt allowed, so it gets sanitized to this
My post
<meta name="description" content="A post about a thing">
which gets rendered visually as text
image.png (view on web)
<https://github.com/apostrophecms/sanitize-html/assets/116770019/060c0b6c-5690-48b2-8792-17c14891702e>
Doing what @boutell <https://github.com/boutell> was talking about would
keep people from accidentally doing this, but wouldn't stop them from doing
it on purpose
—
Reply to this email directly, view it on GitHub
<#645 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAH27JHDILUCWAWAZZJGYTYRVG7RAVCNFSM6AAAAABCVZC3MCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRUGY4DGMBRG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER
APOSTROPHECMS | apostrophecms.com | he/him/his
|
|
Found a solution that works for me. It's a bit silly but ¯\_(ツ)_/¯ body {
font-size:0;
}
body > * {
font-size:1rem;
} |
|
@ViteOrder you can use this to remove text for disallowed tags |
I'm sanitizing SEO tags, and want to only allow meta tags.
So I use these options
This prevents all other tags from being used, but it doesnt prevent untagged text. So, if a user sent a string of text, it would be rendered on the page.
How do I fix this?
The text was updated successfully, but these errors were encountered: