-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for the <iframe>
sandbox
attribute
#135
Comments
Looks like this is a dupe of #12, although the last activity on that was in 2015 - lemme know if the thinking on that has changed. |
I didn't know of the I'm not sure I want to have the library scope creep from security sanitizer to HTML rewriter in a general purpose way, those are distinct things and there are good arguments to be made in favour of rewriting untrusted content pre-sanitization as well as rewriting the now trusted content post-sanitization... meaning a general purpose thing would be easy for people to mis-use and accidentally lower their security unintentionally. But I am very much in favour of adding an option in the spirit of How about something like this:
And a sketch of that implemented would look like this https://go.dev/play/p/KKyYNeBlu6T :
I've got a very hectic few weeks leading up to Christmas, but I will get to this by Christmas. If you want to beat me to it and produce a PR that implements the option along those lines and adjusts the sanitizer accordingly... please feel encouraged to do so, otherwise I will get to it eventually. |
Also... if you do take my example... I instantly reread it and nit'd on |
Yup, that sounds perfectly reasonable. Going off that spirit, I think the list of values that's provided to
If that sounds reasonable, I can take a stab at it (hopefully) sometime next week. |
That does sound reasonable... would merge 👍 |
<iframe>
sandbox
attribute
For my specific usecase, I'd like to enforce the existence of the
sandbox
attribute on<iframe>
s. I haven't dug too deeply into the code, but it looks like patterns like these are usually special cased (ex:AddTargetBlankToFullyQualifiedLinks
,RequireNoFollowOnLinks
, etc).Would a general purpose
RequiredAttr
method be considered for inclusion in the library? If so, it'd allow users to define such behaviours purely within a policy (which I think would be useful). Otherwise, I can work on a PR to just handle<iframe sandbox>
.The text was updated successfully, but these errors were encountered: