Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

explore using DOMPurify's allowlists #155

Open
2 of 7 tasks
flavorjones opened this issue Oct 27, 2018 · 7 comments
Open
2 of 7 tasks

explore using DOMPurify's allowlists #155

flavorjones opened this issue Oct 27, 2018 · 7 comments
Assignees
@flavorjones
Labels
allowlist issues related to what tags or attributes are allowed
Milestone
v3.0.0

Comments

@flavorjones
Copy link
Owner

flavorjones commented Oct 27, 2018
edited
Loading

DOMPurify appears to be well-maintained and has an up-to-date allowlist. Explore using those allowlists instead of the HTML5lib-derived lists currently used by Loofah.

  • determine how well whitelists match up to the currently-used-set
  • determine how big the diff is
  • look at using IS_ALLOWED_URI to allowlist protocols
  • make sure to include the DOMPurify license in any machine-generated file
  • consider making a separate gem for Loofah's allowlist and inject it into Loofah by default
  • ... and then document how anybody else can modify or inject their own allowlists, which should address a lot of open issues (see the allowlist label)
  • ... and deprecate Whitelist in preference to Allowlist, exploring how to do so without totally breaking monkeypatches people may have made to Loofah's allowlists.
@flavorjones flavorjones added the allowlist issues related to what tags or attributes are allowed label Oct 27, 2018
@flavorjones
Copy link
Owner Author

Links:

This was referenced Oct 28, 2018
Open
Open
Closed
@flavorjones
Copy link
Owner Author

flavorjones commented Oct 28, 2018
edited
Loading

Here are the diffs (assuming my PR cure53/DOMPurify#309 will be accepted to correct misspellings).

"removal" reflects something allowed today that would not be allowed with DOMPurify's allowlist.

"addition" reflects something not allowed today that would be allowed with DOMPurify's allowlist.

html:tags:
  removals (1):
    ["command"]
  additions (23):
    ["blink", "body", "content", "data", "decorator", "element", "head", "hgroup", "html", "marquee", "menuitem",
     "nobr", "progress", "rp", "rt", "ruby", "shadow", "source", "spacer", "style", "template", "track", "wbr"]

mathml:tags:
  removals (6):
    ["annotation", "annotation-xml", "maction", "mprescripts", "none", "semantics"]
  additions (4):
    ["menclose", "mglyph", "mlabeledtr", "ms"]

svg:tags:
  removals (18):
    ["animate", "animateColor", "animateMotion", "animateTransform", "clipPath", "feGaussianBlur",
     "fegaussianblur", "font-face", "font-face-name", "font-face-src", "foreignObject", "foreignobject",
     "linearGradient", "missing-glyph", "radialGradient", "set", "textPath", "use"]
  additions (14):
    ["altglyph", "altglyphdef", "altglyphitem", "audio", "canvas", "font", "glyphref", "image", "pattern",
     "style", "tref", "video", "view", "vkern"]

html:attrs:
  removals (20):
    ["abbr", "accept-charset", "accesskey", "axis", "char", "charoff", "charset", "compact", "frame", "hspace",
     "longdesc", "loopcount", "loopend", "loopstart", "nohref", "prompt", "rules", "target", "vspace", 
     "xml:lang"]
  additions (30):
    ["autocomplete", "background", "bgcolor", "crossorigin", "default", "download", "face", "hidden", "high", 
     "integrity", "list", "low", "max", "min", "novalidate", "open", "optimum", "pattern", "placeholder", 
     "pubdate", "radiogroup", "required", "reversed", "role", "sizes", "spellcheck", "srclang", "srcset", 
     "step", "xmlns"]

mathml:attrs:
  removals (13):
    ["actiontype", "columnalign", "columnspacing", "encoding", "equalcolumns", "equalrows", "fontstyle", 
     "fontweight", "other", "xlink:href", "xlink:show", "xlink:type", "xmlns:xlink"]
  additions (22):
    ["accent", "accentunder", "bevelled", "columnsalign", "denomalign", "dir", "href", "id", "largeop", 
     "length", "lquote", "mathsize", "movablelimits", "notation", "numalign", "rquote", "scriptminsize", 
     "scriptsizemultiplier", "subscriptshift", "supscriptshift", "symmetric", "voffset"]

svg:attrs:
  removals (82):
    ["alphabetic", "arabic-form", "attributeName", "attributeType", "baseProfile", "baseprofile", "bbox", 
     "calcMode", "calcmode", "cap-height", "content", "descent", "filterRes", "filterUnits", "filterres", 
     "filterunits", "from", "gradientUnits", "hanging", "horiz-adv-x", "horiz-origin-x", "ideographic", 
     "keyPoints", "keySplines", "keyTimes", "markerHeight", "markerUnits", "markerWidth", "maskContentUnits", 
     "maskUnits", "mathematical", "overline-position", "overline-thickness", "panose-1", "pathLength", 
     "patternContentUnits", "patternTransform", "patternUnits", "preserveAspectRatio", "primitiveUnits", 
     "primitiveunits", "refX", "refY", "repeatCount", "repeatDur", "requiredExtensions", "requiredFeatures", 
     "requiredextensions", "requiredfeatures", "slope", "spacing", "startOffset", "startoffset", "stdDeviation", 
     "stemh", "stemv", "strikethrough-position", "strikethrough-thickness", "systemLanguage", "systemlanguage", 
     "target", "to", "underline-position", "underline-thickness", "unicode-range", "units-per-em", "version", 
     "viewBox", "widths", "x-height", "xlink:actuate", "xlink:arcrole", "xlink:href", "xlink:role", 
     "xlink:show", "xlink:title", "xlink:type", "xml:base", "xml:lang", "xml:space", "xmlns:xlink", "zoomAndPan"]
  additions (70):
    ["alignment-baseline", "azimuth", "basefrequency", "baseline-shift", "bias", "clip", "color-interpolation", 
    "color-profile", "diffuseconstant", "direction", "divisor", "edgemode", "elevation", "filter", 
    "flood-color", "flood-opacity", "font-size-adjust", "glyphref", "gradienttransform", "href", 
    "image-rendering", "in", "in2", "k1", "k2", "k3", "k4", "kernelmatrix", "kernelunitlength", "kerning", 
    "lengthadjust", "letter-spacing", "lighting-color", "local", "mask", "media", "mode", "numoctaves", 
    "operator", "order", "orientation", "overflow", "paint-order", "preservealpha", "radius", "result", "scale", 
    "seed", "shape-rendering", "specularconstant", "specularexponent", "spreadmethod", "stitchtiles", "style", 
    "surfacescale", "tabindex", "targetx", "targety", "text-decoration", "text-rendering", "textlength", 
    "vert-adv-y", "vert-origin-x", "vert-origin-y", "word-spacing", "wrap", "writing-mode", "xchannelselector", 
    "ychannelselector", "z"]

@flavorjones
Copy link
Owner Author

This is a pretty big changeset. I'm curious if anybody has objections to moving to it?

@flavorjones flavorjones mentioned this issue Nov 11, 2018
Closed
@flavorjones flavorjones added this to the v3.0.0 milestone Sep 28, 2019
@flavorjones
Copy link
Owner Author

Notable conflicts:

@flavorjones flavorjones self-assigned this Dec 4, 2019
@flavorjones flavorjones mentioned this issue Feb 13, 2020
Closed
@flavorjones flavorjones mentioned this issue Nov 25, 2020
Closed
@trevorrjohn
Copy link

DomPurify does not allow contenteditable cure53/DOMPurify#229

@flavorjones
Copy link
Owner Author

The little work I did on this is on branch https://github.com/flavorjones/loofah/tree/155-use-dompurify-safelists

@trevorrjohn
Copy link

We looked at this but the branch no longer works because node is a bit strange. Cannot load the attrs.js nor tags.js because it is using an import statement. Discussed the best option forward would be to ask DOMPurify to move those constants into a separate text file so that we could require and load it more easily. 🤷

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@flavorjones flavorjones

Labels
allowlist issues related to what tags or attributes are allowed
Projects
@flavorjones Rails Conf 2024 Hack Day project board
Status: No status
Milestone
v3.0.0
Development

No branches or pull requests
2 participants
@flavorjones @trevorrjohn