Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

explore using DOMPurify's allowlists #155

Open
2 of 7 tasks
flavorjones opened this issue Oct 27, 2018 · 7 comments
Open
2 of 7 tasks

explore using DOMPurify's allowlists #155

flavorjones opened this issue Oct 27, 2018 · 7 comments
Assignees
Labels
allowlist issues related to what tags or attributes are allowed
Milestone

Comments

@flavorjones
Copy link
Owner

flavorjones commented Oct 27, 2018

DOMPurify appears to be well-maintained and has an up-to-date allowlist. Explore using those allowlists instead of the HTML5lib-derived lists currently used by Loofah.

  • determine how well whitelists match up to the currently-used-set
  • determine how big the diff is
  • look at using IS_ALLOWED_URI to allowlist protocols
  • make sure to include the DOMPurify license in any machine-generated file
  • consider making a separate gem for Loofah's allowlist and inject it into Loofah by default
  • ... and then document how anybody else can modify or inject their own allowlists, which should address a lot of open issues (see the allowlist label)
  • ... and deprecate Whitelist in preference to Allowlist, exploring how to do so without totally breaking monkeypatches people may have made to Loofah's allowlists.
@flavorjones flavorjones added the allowlist issues related to what tags or attributes are allowed label Oct 27, 2018
@flavorjones
Copy link
Owner Author

@flavorjones
Copy link
Owner Author

flavorjones commented Oct 28, 2018

Here are the diffs (assuming my PR cure53/DOMPurify#309 will be accepted to correct misspellings).

"removal" reflects something allowed today that would not be allowed with DOMPurify's allowlist.

"addition" reflects something not allowed today that would be allowed with DOMPurify's allowlist.

html:tags:
  removals (1):
    ["command"]
  additions (23):
    ["blink", "body", "content", "data", "decorator", "element", "head", "hgroup", "html", "marquee", "menuitem",
     "nobr", "progress", "rp", "rt", "ruby", "shadow", "source", "spacer", "style", "template", "track", "wbr"]

mathml:tags:
  removals (6):
    ["annotation", "annotation-xml", "maction", "mprescripts", "none", "semantics"]
  additions (4):
    ["menclose", "mglyph", "mlabeledtr", "ms"]

svg:tags:
  removals (18):
    ["animate", "animateColor", "animateMotion", "animateTransform", "clipPath", "feGaussianBlur",
     "fegaussianblur", "font-face", "font-face-name", "font-face-src", "foreignObject", "foreignobject",
     "linearGradient", "missing-glyph", "radialGradient", "set", "textPath", "use"]
  additions (14):
    ["altglyph", "altglyphdef", "altglyphitem", "audio", "canvas", "font", "glyphref", "image", "pattern",
     "style", "tref", "video", "view", "vkern"]

html:attrs:
  removals (20):
    ["abbr", "accept-charset", "accesskey", "axis", "char", "charoff", "charset", "compact", "frame", "hspace",
     "longdesc", "loopcount", "loopend", "loopstart", "nohref", "prompt", "rules", "target", "vspace", 
     "xml:lang"]
  additions (30):
    ["autocomplete", "background", "bgcolor", "crossorigin", "default", "download", "face", "hidden", "high", 
     "integrity", "list", "low", "max", "min", "novalidate", "open", "optimum", "pattern", "placeholder", 
     "pubdate", "radiogroup", "required", "reversed", "role", "sizes", "spellcheck", "srclang", "srcset", 
     "step", "xmlns"]

mathml:attrs:
  removals (13):
    ["actiontype", "columnalign", "columnspacing", "encoding", "equalcolumns", "equalrows", "fontstyle", 
     "fontweight", "other", "xlink:href", "xlink:show", "xlink:type", "xmlns:xlink"]
  additions (22):
    ["accent", "accentunder", "bevelled", "columnsalign", "denomalign", "dir", "href", "id", "largeop", 
     "length", "lquote", "mathsize", "movablelimits", "notation", "numalign", "rquote", "scriptminsize", 
     "scriptsizemultiplier", "subscriptshift", "supscriptshift", "symmetric", "voffset"]

svg:attrs:
  removals (82):
    ["alphabetic", "arabic-form", "attributeName", "attributeType", "baseProfile", "baseprofile", "bbox", 
     "calcMode", "calcmode", "cap-height", "content", "descent", "filterRes", "filterUnits", "filterres", 
     "filterunits", "from", "gradientUnits", "hanging", "horiz-adv-x", "horiz-origin-x", "ideographic", 
     "keyPoints", "keySplines", "keyTimes", "markerHeight", "markerUnits", "markerWidth", "maskContentUnits", 
     "maskUnits", "mathematical", "overline-position", "overline-thickness", "panose-1", "pathLength", 
     "patternContentUnits", "patternTransform", "patternUnits", "preserveAspectRatio", "primitiveUnits", 
     "primitiveunits", "refX", "refY", "repeatCount", "repeatDur", "requiredExtensions", "requiredFeatures", 
     "requiredextensions", "requiredfeatures", "slope", "spacing", "startOffset", "startoffset", "stdDeviation", 
     "stemh", "stemv", "strikethrough-position", "strikethrough-thickness", "systemLanguage", "systemlanguage", 
     "target", "to", "underline-position", "underline-thickness", "unicode-range", "units-per-em", "version", 
     "viewBox", "widths", "x-height", "xlink:actuate", "xlink:arcrole", "xlink:href", "xlink:role", 
     "xlink:show", "xlink:title", "xlink:type", "xml:base", "xml:lang", "xml:space", "xmlns:xlink", "zoomAndPan"]
  additions (70):
    ["alignment-baseline", "azimuth", "basefrequency", "baseline-shift", "bias", "clip", "color-interpolation", 
    "color-profile", "diffuseconstant", "direction", "divisor", "edgemode", "elevation", "filter", 
    "flood-color", "flood-opacity", "font-size-adjust", "glyphref", "gradienttransform", "href", 
    "image-rendering", "in", "in2", "k1", "k2", "k3", "k4", "kernelmatrix", "kernelunitlength", "kerning", 
    "lengthadjust", "letter-spacing", "lighting-color", "local", "mask", "media", "mode", "numoctaves", 
    "operator", "order", "orientation", "overflow", "paint-order", "preservealpha", "radius", "result", "scale", 
    "seed", "shape-rendering", "specularconstant", "specularexponent", "spreadmethod", "stitchtiles", "style", 
    "surfacescale", "tabindex", "targetx", "targety", "text-decoration", "text-rendering", "textlength", 
    "vert-adv-y", "vert-origin-x", "vert-origin-y", "word-spacing", "wrap", "writing-mode", "xchannelselector", 
    "ychannelselector", "z"]

@flavorjones
Copy link
Owner Author

This is a pretty big changeset. I'm curious if anybody has objections to moving to it?

@flavorjones
Copy link
Owner Author

Notable conflicts:

@trevorrjohn
Copy link

DomPurify does not allow contenteditable cure53/DOMPurify#229

@flavorjones
Copy link
Owner Author

The little work I did on this is on branch https://github.com/flavorjones/loofah/tree/155-use-dompurify-safelists

@trevorrjohn
Copy link

We looked at this but the branch no longer works because node is a bit strange. Cannot load the attrs.js nor tags.js because it is using an import statement. Discussed the best option forward would be to ask DOMPurify to move those constants into a separate text file so that we could require and load it more easily. 🤷

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
allowlist issues related to what tags or attributes are allowed
Development

No branches or pull requests

2 participants