Any way to combine allowedTags and disallowedTags to sanitize an html?

[pablofrers93]

Hi!
I'm trying to sanitize HTML data, but I'm facing a problem. I need to be able to manually select which tags to sanitize, so I set 'allowedTags' to false and then set 'disallowedTags' equal to an array containing the selected tags. However, instead of getting the correct result, I receive back the string with all tags, not respecting the 'disallowedTags' setup." Is it any way to do this? Here an example of what I am doing:

const htmlExample = "<div><h1>Title</h1><p>Paragraph</p><a href='https://www.example.com'>Link</a><img src='image.jpg' alt='Image'><script>alert('hello world')</script><style>body {background-color: blue;}</style><iframe src='https://www.example.com'></iframe></div>";

const disallowedTags = ['script', 'style', 'iframe'];

let textExample = sanitizeHtml(htmlExample, {
    allowedTags: false,
    disallowedTags: disallowedTags
});

The output is the same than the original value.

Thanks in advance.

[boutell]

There is no such option because it would be insecure, new tags are added to HTML all the time and you don't know the consequences of allowing them in advance. My advice would be to consult the HTML5 spec and include a long list if you want to allow a lot of tags. And if you want any safety at all, you'll need to be thoughtful about which attributes you allow on each.

[pablofrers93]

Thanks for your answer!