Skip to content
This repository has been archived by the owner on May 23, 2024. It is now read-only.

Add rel/target tags for a #42

Open
pet0ruk opened this issue Jun 22, 2020 · 3 comments
Open

Add rel/target tags for a #42

pet0ruk opened this issue Jun 22, 2020 · 3 comments

Comments

@pet0ruk
Copy link

pet0ruk commented Jun 22, 2020

Thanks for the great library! Given the intended use-case of passing in HTML from something untrusted and then being able to sanitize and display it securely, it would be really cool if we could get some options to force rel and target on a tags. While rel="nofollow" and target="_blank" are "nice to have", rel="noopener" is certainly important for security and would be great if we could force it.

Config options could look something like this:

$sanitizer = HtmlSanitizer\Sanitizer::create([
    'extensions' => ['basic', 'image', 'iframe'],
    'tags' => [
        'a' => [
            /*
             * If an array is provided, links targeting other hosts than one in this array
             * will be disabled (the `href` attribute will be blank). This can be useful if you want
             * to prevent links targeting external websites. Keep null to allow all hosts.
             * Any allowed domain also includes its subdomains.
             *
             * Example:
             *      'allowed_hosts' => ['trusted1.com', 'google.com'],
             */
            'allowed_hosts' => null,
            
            /*
             * If true, mailto links will be accepted.
             */
            'allow_mailto' => false,

            /*
             * Forces rel=nofollow in links.
             */
            'force_rel_nofollow' => false,

            /*
             * Forces rel=noopener in links.
             */
            'force_rel_noopener' => false,

            /*
             * Forces target=value unless set to false.
             */
            'force_target' => false,
        ],
...

I just quickly threw this issue together so if you would prefer something in the form of a PR I can look into doing that instead.
@tgalopin
Copy link
Owner

That's a great idea, and I like the config format. I would probably create only two options though :

force_rel, false by default, can get a string, in which case the string is always set on links as a rel attribute

force_target, which does the same with the target attribute

@tgalopin
Copy link
Owner

If you're up for a PR, that would be awesome :)!

@pet0ruk
Copy link
Author

pet0ruk commented Jun 24, 2020

Sure - #43 should do it I think

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tgalopin @pet0ruk