-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sanitize mixin for plugins? #131
Comments
From a technical perspective, I guess it can be implemented. But it seems would disrupt user expectations in some cases. For example, there are 2 plugins A and B. A allows |
I think the example more look like a developer issue 🤔. About the security question, I think plugin can get a CSRF token from parser instance and apply to element, and then add a filter plugin at the bottom of process chain, to sanitize all insecure content in UGC. |
Yeah, If I don't understand it wrong, the current sanitize process is exactly the same as you described Take the iframe case as an example, it can be added via rehype plugins. The sanitize step only takes effect once after remark process. |
This issue is stale because it has been open for 30 days with no activity. |
This issue was closed because it has been inactive for 7 days since being marked as stale. |
What do you think about the plugin passing a schema instead of passing the function that handles the schema? const remark = jojo.remake;
const sch = {
tagNames: ["iframe"]
};
export default function ExamplePlugin {
return {
remark: u => u.use(remark),
schema: sch
}
} So the main library is responsible for properly merging the schemas and sanitizing globally. A special merge function will be needed to merge the arrays, but I think I have a good idea of how to do that. That way plugins are prevented from deleting permissions needed by other plugins, they can only add. Any other custom schemes are still possible by passing the sanitize function directly to the Editor or Viewer. Thus allowing new additions or deletions in the scheme. |
This seems to be reasonable. But it would also lead to breaking changes, and need to be released as a major version. I'll draft a v2 plan soon, including this feature. |
This issue is stale because it has been open for 60 days with no activity. |
This issue is stale because it has been open for 60 days with no activity. |
This issue is stale because it has been open for 60 days with no activity. |
This issue was closed because it has been inactive for 7 days since being marked as stale. |
Allow plugins to modify sanitize rules.
Maybe like this:
This will help plugins decoupling from the editor.
The text was updated successfully, but these errors were encountered: