Skip to content

Commit

Permalink
Remove outdated elements/attrs
Browse files Browse the repository at this point in the history
Closes #342
Closes #303
  • Loading branch information
gjtorikian committed Jan 26, 2023
1 parent 993af12 commit 1ff7a0b
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 5 deletions.
10 changes: 5 additions & 5 deletions lib/html_pipeline/sanitization_filter.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ class SanitizationFilter

# The main sanitization allowlist. Only these elements and attributes are
# allowed through by default.
DEFAULT_CONFIG = {
DEFAULT_CONFIG = Selma::Sanitizer::Config.freeze_config({
elements: ["h1", "h2", "h3", "h4", "h5", "h6", "br", "b", "i", "strong", "em", "a", "pre", "code",
"img", "tt", "div", "ins", "del", "sup", "sub", "p", "ol", "ul", "table", "thead", "tbody", "tfoot",
"blockquote", "dl", "dt", "dd", "kbd", "q", "samp", "var", "hr", "ruby", "rt", "rp", "li", "tr", "td", "th",
Expand All @@ -31,8 +31,8 @@ class SanitizationFilter
"ins" => ["cite"],
"q" => ["cite"],
all: ["abbr", "accept", "accept-charset", "accesskey", "action", "align", "alt", "aria-describedby",
"aria-hidden", "aria-label", "aria-labelledby", "axis", "border", "cellpadding", "cellspacing", "char",
"charoff", "charset", "checked", "clear", "cols", "colspan", "color", "compact", "coords", "datetime", "dir",
"aria-hidden", "aria-label", "aria-labelledby", "axis", "border", "char",
"charoff", "charset", "checked", "clear", "cols", "colspan", "compact", "coords", "datetime", "dir",
"disabled", "enctype", "for", "frame", "headers", "height", "hreflang", "hspace", "id", "ismap", "label", "lang",
"maxlength", "media", "method", "multiple", "name", "nohref", "noshade", "nowrap", "open", "progress",
"prompt", "readonly", "rel", "rev", "role", "rows", "rowspan", "rules", "scope", "selected", "shape",
Expand All @@ -47,9 +47,9 @@ class SanitizationFilter
"img" => {
"src" => ["http", "https", :relative].freeze,
"longdesc" => ["http", "https", :relative].freeze,
}.freeze,
},
},
}
})

class << self
def call(html, config)
Expand Down
27 changes: 27 additions & 0 deletions test/sanitization_filter_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,33 @@ def test_custom_anchor_schemes_are_not_removed
assert_equal(stuff, html)
end

def test_allow_svg_elements_to_be_added
config = DEFAULT_CONFIG.dup
frag = <<~FRAG
<svg height="100" width="100">
<circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" />
</svg>
FRAG

html = SanitizationFilter.call(frag, config)

assert_equal("\n", html)

config = { elements: ["svg", "circle"],
attributes: { "svg" => ["width"],
"circle" => ["cx", "cy", "r"], }, }

result = <<~FRAG
<svg width="100">
<circle cx="50" cy="50" r="40" />
</svg>
FRAG

html = SanitizationFilter.call(frag, config)

assert_equal(result, html)
end

def test_anchor_schemes_are_merged_with_other_anchor_restrictions
stuff = '<a href="something-weird://heyyy" ping="more-weird://hiii">Wat</a> is this'
allowlist = {
Expand Down

0 comments on commit 1ff7a0b

Please sign in to comment.