- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 02 Jun 2014 23:34:18 -0400
- To: public-webapps@w3.org
On 6/2/14, 11:17 PM, Eduardo' Vela" <Nava> wrote: > Now, I'm not sure how many have tried to implement an HTML sanitizers. I've reviewed Gecko's implementation of one, if that counts... > 1. You have to write a parser OR You have to use a third-party parser. Wasn't an issue for us obviously. > 2. You have to get a serializer. Likewise. > 3. You need a sane whitelist. This was a pain. > 3.1 And the whitelist, apparently, needs to be aware of not just > <tag/attribute> pairs, but also <tag/attribute + rel="stylesheet"> geez! And this. We actually rip out all @rel values specifically on <link> elements, because we in fact do not want to allow rel="stylesheet" (but we do want to allow we do allow @rel on other elements).... I agree with your general point, though, which is that writing a good sanitizer is pretty nontrivial. -Boris
Received on Tuesday, 3 June 2014 03:34:47 UTC