Document how to allow http and https urls in links and img srcs? #14
Comments
|
+1 like badges img src from travis-ci.org Is there any docs about tagPolicy which can be used in sanitizeWithPolicy? |
|
It's not very easy to write a custom tagPolicy which also guarantee the safety. I write one to keep the src of img for some url like 'travis-ci' var origTagPolicy = sanitizer.makeTagPolicy(urlPolicy);
function tagPolicy(tagName, attribs) {
if (tagName == 'img' && attribs.length) {
var src;
for (var i = 0; i < attribs.length; i += 2) {
if (attribs[i] == 'src') {
src = attribs[i + 1];
break;
}
}
if (src) {
var u = url.parse(src);
if (u) {
if (u.hostname.match(/^travis-ci.org$/)) {
var attrs = sanitizer.sanitizeAttribs(tagName, attribs, urlPolicy);
attrs.push('src');
attrs.push(url.format(u));
return {
attribs: attrs
};
}
}
}
}
return origTagPolicy.call(this, tagName, attribs);
} |
|
No news on this? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for this module, it's very useful to have it wrapped up.
I see the sanitize() function is very conservative and strips a lot from the html. I'm wondering how to relax this a little so http/https urls can be included in href attributes in links, and src attributes in img tags.
I expect this is a common thing people might want to do, so having it documented would be helpful.
The text was updated successfully, but these errors were encountered: