From be9c90da9b9aa0f0923b559532c6fa9a152ca1ef Mon Sep 17 00:00:00 2001 From: Zade Viggers <74938858+zadeviggers@users.noreply.github.com> Date: Mon, 24 Jan 2022 14:19:40 +1300 Subject: [PATCH 1/4] Add common image attributes --- index.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.js b/index.js index 648ec1b..8515483 100644 --- a/index.js +++ b/index.js @@ -780,10 +780,10 @@ sanitizeHtml.defaults = { disallowedTagsMode: 'discard', allowedAttributes: { a: [ 'href', 'name', 'target' ], - // We don't currently allow img itself by default, but this + // We don't currently allow img itself by default, but these // would make sense if we did. You could add srcset here, // and if you do the URL is checked for safety - img: [ 'src' ] + img: [ 'src', 'alt', 'title', 'width', 'height', 'loading' ] }, // Lots of these won't come up by default because we don't allow them selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ], From 5fccedb0d66fd2061e4e9f413f49ab1dbc6a133c Mon Sep 17 00:00:00 2001 From: Zade Viggers <74938858+zadeviggers@users.noreply.github.com> Date: Tue, 25 Jan 2022 14:12:36 +1300 Subject: [PATCH 2/4] Allow srcset --- index.js | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/index.js b/index.js index 8515483..8b21565 100644 --- a/index.js +++ b/index.js @@ -780,10 +780,9 @@ sanitizeHtml.defaults = { disallowedTagsMode: 'discard', allowedAttributes: { a: [ 'href', 'name', 'target' ], - // We don't currently allow img itself by default, but these - // would make sense if we did. You could add srcset here, - // and if you do the URL is checked for safety - img: [ 'src', 'alt', 'title', 'width', 'height', 'loading' ] + // We don't currently allow img itself by default, but + // these attributes would make sense if we did. + img: [ 'src', 'srcset', 'alt', 'title', 'width', 'height', 'loading' ] }, // Lots of these won't come up by default because we don't allow them selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ], From 43f28f336f71ec5b02c1844d82d9d09160754668 Mon Sep 17 00:00:00 2001 From: Zade Viggers <74938858+zadeviggers@users.noreply.github.com> Date: Tue, 25 Jan 2022 14:14:57 +1300 Subject: [PATCH 3/4] Update changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 08ddd35..ff43263 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 2.7.0 (2022-01-25) + +- Allows a more sensible set of default attributes on `` tags. + ## 2.6.1 (2021-12-08) - Fixes style filtering to retain `!important` when used. From 1971a5728c8e4879203209db77f384206fe81ecc Mon Sep 17 00:00:00 2001 From: Zade Viggers <74938858+zadeviggers@users.noreply.github.com> Date: Tue, 25 Jan 2022 14:16:11 +1300 Subject: [PATCH 4/4] Update defaults in readme --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 414984a..d949bf4 100644 --- a/README.md +++ b/README.md @@ -128,10 +128,9 @@ allowedTags: [ disallowedTagsMode: 'discard', allowedAttributes: { a: [ 'href', 'name', 'target' ], - // We don't currently allow img itself by default, but this - // would make sense if we did. You could add srcset here, - // and if you do the URL is checked for safety - img: [ 'src' ] + // We don't currently allow img itself by default, but + // these attributes would make sense if we did. + img: [ 'src', 'srcset', 'alt', 'title', 'width', 'height', 'loading' ] }, // Lots of these won't come up by default because we don't allow them selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ],