Skip to content
This repository has been archived by the owner on Feb 28, 2022. It is now read-only.

Disable XSS sanitizer by default #356

Closed
tripodsan opened this issue Jun 5, 2019 · 3 comments · Fixed by #358
Closed

Disable XSS sanitizer by default #356

tripodsan opened this issue Jun 5, 2019 · 3 comments · Fixed by #358
Assignees
@tripodsan
Labels
released

Comments

@tripodsan
Copy link
Contributor

Allowing HTML in markdown voids the need to a XSS sanitizer a little bit.
Suggest to disable it by default. either by removing it from the html pipeline completely, or safeguard it with:

    .before(sanitize).when(paranoid)

/cc @trieloff @davidnuescheler @ramboz
@rofe
Copy link
Contributor

rofe commented Jun 5, 2019

Agreed. And having to remember to use

  ${content.document.body.innerHTML @ context = 'unsafe'}

in html.htl is error prone and kind of ugly...

@tripodsan tripodsan mentioned this issue Jun 6, 2019
Closed
@tripodsan tripodsan self-assigned this Jun 6, 2019
tripodsan added a commit that referenced this issue Jun 6, 2019
@tripodsan
feat(html-pipe): disable sanitizer by default
3546a45 
fixes #356
@tripodsan tripodsan mentioned this issue Jun 6, 2019
Merged
@tripodsan
Copy link
Contributor Author

tripodsan commented Jun 6, 2019
edited
Loading

Agreed. And having to remember to use

  ${content.document.body.innerHTML @ context = 'unsafe'}

in html.htl is error prone and kind of ugly...

this was reverted with the new htlengine #337

tripodsan added a commit that referenced this issue Jun 6, 2019
@tripodsan
feat(html-pipe): disable sanitizer by default
3f9882e 
fixes #356
tripodsan added a commit that referenced this issue Jun 6, 2019
@tripodsan
feat(html-pipe): disable sanitizer by default
876b743 
fixes #356
adobe-bot pushed a commit that referenced this issue Jun 6, 2019
@semantic-release-bot
chore(release): 2.5.0 [skip ci]
bce8731 
# [2.5.0](v2.4.0...v2.5.0) (2019-06-06)

### Features

* **html-pipe:** disable sanitizer by default ([876b743](876b743)), closes [#356](#356)
@adobe-bot
Copy link

🎉 This issue has been resolved in version 2.5.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@trieloff trieloff mentioned this issue Mar 20, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tripodsan tripodsan

Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(html-pipe): disable sanitizer by default adobe/helix-pipeline
3 participants
@tripodsan @rofe @adobe-bot