Allow url protocol block/allow lists #1361
Conversation
|
9 commits later, I got the tests to finally pass. |
|
Hi @aprotim thanks again for the PR This looks like it's adding new options which is not the desire for marked at this time. Especially since we are going to remove sanitization in the future (#1232). A block-list or allow-list can be implemented outside of marked using something like Example sanitizeHere's an example of using an block-list to remove bad protocols. var blockList = ["http", "https", "ftp", "mailto"];
var dirty = marked(md);
var clean = sanitizeHtml(dirty, {
transformTags: {
'a': function(tagName, attribs) {
if (attribs.href && blockList.some(p => attribs.href.startsWith(p))) {
delete attribs.href;
}
return { tagName: tagName, attribs: attribs };
}
}
}); |
|
I understand the desire to limit feature creep, to which end I've filed #1362. I would like to point out that there's a lot of value of sanitizing the (post-parse, pre-render) input and not (just) the output: keeping up with the ins and outs of the complex ways HTML can be abused is a harder problem than restricting the already smaller subset of functionality of markdown. (As far as I can tell, the vast majority, if not all, markdown-related XSS vulnerabilities could be avoided by disallowing embedded HTML and only allowing URLs from a small set of URL schemas.) |
Markdown flavor: all
Description
Add the ability to set lists of allowable or blocked url protocols. Replaces the current "sanitize" code for URLs with explicit controls. (Existing behavior for sanitize is retained, for compatibility, but if/when sanitize is removed generally, urls can still be restricted to only desired protocols.
The included tests have examples.
Contributor
Committer
In most cases, this should be a different person than the contributor.