-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filter external resources #99
Comments
What do you have in mind? I'm not sure what this solution looks like, but whilst this is sanitization for XSS and untrusted HTML I wouldn't be averse to making it sanitize for privacy. |
This may be something my proposed code in #61 could be used for, as it would allow a function to transform or remove tokens. |
My PR #153 has callback function that will allow you to modify/add/remove attributes of HTML elements with your own business logic before they are parsed by bluemonday. |
Sometimes it's desirable to disallow external resources (
<img>
,background: url(…)
, etc), to prevent sanitized HTML from "calling home" (triggering HTTP requests, e.g. using pixel images for tracking purposes). For instance a webmail might want to do this.Would you be interested in adding an API to validate external resources?
The text was updated successfully, but these errors were encountered: