Presets #82
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -134,6 +134,11 @@ handle additional, application-specific use cases. | |
| DocumentFragment sanitize(SanitizerInput input); | ||
| DOMString sanitizeToString(SanitizerInput input); | ||
|
|
||
| static readonly attribute Sanitizer default; | ||
| static readonly attribute Sanitizer nofetch; | ||
| static readonly attribute Sanitizer nonavigate; | ||
|
There was a problem hiding this comment. If I may, I'll punt on the discussion of the nofetch & nonavigate use case for now, maybe even for all of v1. I fully agree that we will have to consider this at some point though :) |
||
| static readonly attribute Sanitizer richtext; | ||
|
There was a problem hiding this comment. I think it would be great if we could adopt a list of reasonable HTML elements from "somewhere else", which would allow us to inherit a widely-used set of HTML elements and thus satisfy very common use cases. |
||
|
|
||
| SanitizerConfig config(); | ||
| static SanitizerConfig defaultConfig(); | ||
| }; | ||
|
|
@@ -168,6 +173,34 @@ Example: | |
| JSON.stringify(Sanitizer.defaultConfig()) == JSON.stringify(new Sanitizer().config()); // true | ||
| ``` | ||
|
|
||
| ## Presets ## {#presets} | ||
|
|
||
| The value of each of the static preset attributes, {{default}}, {{nofetch}}, | ||
| {{nonavigate}}, and {{richtext}} is the result of creating a | ||
| {{Sanitizer}} instance with the appropriate configuration constant used as the | ||
| [=configuration object=]. The pairing of {{Sanitizer}} preset attributes | ||
| and the constants to use as the [=configuration object=] are listed below: | ||
|
|
||
| * <dfn attribute for=Sanitizer>default</dfn>: [=default configuration=] object. | ||
| * <dfn attribute for=Sanitizer>nofetch</dfn>: [=nofetch configuration object=]. | ||
| * <dfn attribute for=Sanitizer>nonavigate</dfn>: [=nonavigate configuration object=]. | ||
| * <dfn attribute for=Sanitizer>richtext</dfn>: [=richtext configuration object=]. | ||
|
|
||
| Examples: | ||
| ```js | ||
| // Preset "rich text" allows only formatting: | ||
| // <p class="blubb"><b>text</b></p> | ||
| Sanitizer.richtext.sanitize("<p id=bla class=blubb><a href=https://example.org><b>text</b></a>"); | ||
|
There was a problem hiding this comment. With my suggestion above someone would still have to initialize it if they need it. |
||
|
|
||
| // Preset "no fetch" does not allow constructs that cause network activity: | ||
| // <a href="http://example.net">link</a> | ||
| Sanitizer.nofetch.sanitize("<img src=thatsthejoke.jpg><a href=http://example.net>link</a>") | ||
|
|
||
| // Preset "no navigate" does not allow constucts that cause navigation: | ||
| // <img src=thatsthejoke.jpg>link | ||
| Sanitizer.nonavigate.sanitize("<img src=thatsthejoke.jpg><a href=http://example.net>link</a>") | ||
| ``` | ||
|
|
||
| ## Input Types ## {#inputs} | ||
|
|
||
| The sanitization methods support three input types: `DOMString`, `Document`, | ||
|
|
@@ -743,3 +776,33 @@ The built-in <dfn>default configuration</dfn> has the following value: | |
| path: resources/default-configuration.json | ||
| highlight: js | ||
| </pre> | ||
|
|
||
| ## Presets ## {#preset-values} | ||
|
|
||
| The <dfn>nofetch configuration object</dfn> has the following value: | ||
|
|
||
| Issue(WICG/sanitizer-api#57): Determine value. | ||
|
|
||
| <pre class=include-code> | ||
| path: resources/preset-nofetch-configuration.json | ||
| highlight: js | ||
| </pre> | ||
|
|
||
| The <dfn>nonavigate configuration object</dfn> has the following value: | ||
|
|
||
| Issue(WICG/sanitizer-api#71): Determine value. | ||
|
|
||
| <pre class=include-code> | ||
| path: resources/preset-nonavigate-configuration.json | ||
| highlight: js | ||
| </pre> | ||
|
|
||
| The <dfn>richtext configuration object</dfn> has the following value. | ||
|
|
||
| Issue: Determine value. The value below is a placeholder. | ||
|
|
||
| <pre class=include-code> | ||
| path: resources/preset-richtext-configuration.json | ||
| highlight: js | ||
| </pre> | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| // TODO |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| // TODO |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| // Text grouping and text-level semantics elements: | ||
| allowElements: [ | ||
| // Content grouping elements: https://html.spec.whatwg.org/#grouping-content, | ||
| // execpt main: | ||
| "p", "hr", "pre", "blockquote", "ol," "ul", "menu", "li", "dl", "dt", "dd", | ||
| "figure", "figcaption", "div", | ||
| // Text-level semantics elements: https://html.spec.whatwg.org/#text-level-semantics, | ||
| // without "a", "data" | ||
| "em", "strong", "small", "s", "cite", "q", "dfn", "abbr", "ruby", "rt", "rp", | ||
| "time", "code", "var", "samp", "kbd", "sub", "sup", "i", "b", "u", "mark", "bdi", | ||
| "bdo", "span", "br", "wbr" | ||
| ], | ||
| // class= attributes are okay. | ||
| allowAttributes: { "class": ["*"] } | ||
| } |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer we expose this as configuration objects. That would expose some constant-defined JS objects from the Sanitizer object, e.g. Sanitizer.CONFIG_DEFAULT would return a dictionary.
That way, we wouldn't have to initialize and keep various Sanitizer isntances in every window.