-
-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML5 empty attributes are being scrubbed #242
Comments
Ah, it seems that the commit I referenced didn't introduce this behavior, but just provided an exception for |
Hi! Thanks for opening this issue. Let me try to summarize what you're seeing? #! /usr/bin/env ruby
require "bundler/inline"
gemfile do
source "https://rubygems.org"
gem "loofah"
end
Loofah.fragment('<video controls></video>').scrub!(:strip).to_s
# => "<video></video>"
Loofah.fragment('<video controls=""></video>').scrub!(:strip).to_s
# => "<video></video>"
Loofah.fragment('<video controls="true"></video>').scrub!(:strip).to_s
# => "<video></video>"
Loofah::HTML5::SafeList::ALLOWED_ATTRIBUTES.add('controls')
Loofah.fragment('<video controls></video>').scrub!(:strip).to_s
# => "<video></video>"
Loofah.fragment('<video controls=""></video>').scrub!(:strip).to_s
# => "<video></video>"
Loofah.fragment('<video controls="true"></video>').scrub!(:strip).to_s
# => "<video controls=\"true\"></video>" but we'd expect all three of the cases to retain the I'll investigate! |
This behavior dates back to #51 which is a requirement and contribution that came from the Rails team. I'd like to explore removing this behavior, but I'm hesitant to do so without fully understanding the reasons this behavior was introduced in the first place. Additionally there are two larger changes we're trying make short-term:
Once both of those have landed, hopefully in the next month or two, then I'll feel more confident about making a change like this. So I'm going to park this for now and come back to it. I hope that all makes sense! Feel free to ask questions, I may have missed something. |
Thanks for the quick and clear reaction @flavorjones! The summary you give is indeed accurate, and the approach seems very reasonable. For now we'll just add the |
Just updating this with a note: Loofah now supports HTML5 parsing, along with Rails 7.1. I still want to finish the work in #136 to decouple rails-html-sanitizer from Loofah before tackling this, did want to let you know that it's still on my to-do list. |
a6922ce seems to have had the effect of scrubbing valueless attributes even if they are in
SafeList
. For example, even after addingcontrols
to theSafeList
with:The
controls
attribute will be removed from video tags like the following:But not from the following:
However, just having
controls
without a value seems to be valid HTML5.Is this intended behaviour or a bug?
The text was updated successfully, but these errors were encountered: