htmlbars icon indicating copy to clipboard operation
htmlbars copied to clipboard

Published 20 hours ago verified publisher icon tildeio

consider whitelist for safe protocols

Open stefanpenner opened this issue 10 years ago • 3 comments

https://github.com/tildeio/htmlbars/blob/3035edf9f5505e93340273d0cf561c4853e84557/packages/morph-attr/lib/sanitize-attribute-value.js#L5

stefanpenner avatar Aug 19 '15 17:08 stefanpenner

@stefanpenner, I have a more comprehensive list of tags and attributes those are regarded as unsafe for URI context, i can help out for creating a PR for this feature. https://github.com/yahoo/xss-filters/blob/master/src/xss-filters.js#L58 (tag names) https://github.com/yahoo/secure-handlebars/blob/master/src/parser-utils.js#L31 (attributes name)

neraliu avatar Nov 01 '15 06:11 neraliu

@neraliu i wonder if we should make the blacklist/whitelist a common node_module, that way test/auditing/sharing is more centralized. Does this seem possible?

stefanpenner avatar Nov 30 '15 06:11 stefanpenner

@stefanpenner yes we can make it as a standalone npm module for testing/auditing/sharing. and I am wondering what is the default behavior of the htmlbars when it encounters URI context, blacklist or whitelist? what general developers are expecting?

neraliu avatar Jan 05 '16 13:01 neraliu