bluemonday icon indicating copy to clipboard operation
bluemonday copied to clipboard

Published 20 hours ago verified publisher icon microcosm-cc

Filter external resources

Open emersion opened this issue 5 years ago • 3 comments

Sometimes it's desirable to disallow external resources (<img>, background: url(…), etc), to prevent sanitized HTML from "calling home" (triggering HTTP requests, e.g. using pixel images for tracking purposes). For instance a webmail might want to do this.

Would you be interested in adding an API to validate external resources?

emersion avatar Jan 16 '20 14:01 emersion

What do you have in mind?

I'm not sure what this solution looks like, but whilst this is sanitization for XSS and untrusted HTML I wouldn't be averse to making it sanitize for privacy.

grafana-dee avatar Jan 16 '20 17:01 grafana-dee

This may be something my proposed code in #61 could be used for, as it would allow a function to transform or remove tokens.

jhillyerd avatar Jan 16 '20 17:01 jhillyerd

My PR #153 has callback function that will allow you to modify/add/remove attributes of HTML elements with your own business logic before they are parsed by bluemonday.

onthegit avatar Oct 12 '22 18:10 onthegit