Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow the 'class' attribute to pass the sanitizer #3565

Merged
merged 1 commit into from
Aug 23, 2022

Conversation

jasongrout
Copy link
Member

This allows the 'class' attribute in the default sanitizer.

Fixes #3564

@jasongrout jasongrout added this to the 8.0 milestone Aug 23, 2022
@github-actions
Copy link

Binder 👈 Launch a binder notebook on branch jasongrout/ipywidgets/allowclass

@vidartf
Copy link
Member

vidartf commented Aug 23, 2022

Note that the default options for sanitize-html (https://github.com/apostrophecms/sanitize-html#default-options) are quite restrictive. Do we have any sources that support the case that allowing class is safe? Or alternatively, so we have any sources that allowing class is not safe? Do we have any standard to apply when deciding which tags/attributes to allow? While the default behavior is no HTML at all, since we are maintaining our own custom sanitizer allow-list instead of using the default one, we should have some sort of standard for what we consider allowable or not.

Copy link
Member

@vidartf vidartf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From today's dev meeting, the following points were noted:

  • The sanitizer settings are overridden in the lab widget manager, and lab allows the class attribute, so this issue should not have been seen in lab.
  • As lab allows the class attribute, and since we allow style, it was generally perceived as less risky.
  • We should ideally have a more well defined way of reviewing such changes in the future, and also maybe lab should have a review of its filters.

@vidartf vidartf merged commit 74774da into jupyter-widgets:master Aug 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

HTML sanitization removes class attribute in descriptions
2 participants