Sanitize mixin for plugins?

[KawaiiZapic]

Allow plugins to modify sanitize rules.
Maybe like this:

const remark = jojo.remake;
const process = sch => {
  sch.tagName?.push("iframe");
  return sch;
};

export default function ExamplePlugin {
  return {
    remark: u => u.use(remark),
    sanitize: sch => process(sch)
  }
}

This will help plugins decoupling from the editor.

[pd4d10]

From a technical perspective, I guess it can be implemented. But it seems would disrupt user expectations in some cases.

For example, there are 2 plugins A and B. A allows iframe, while B doesn't allow it. If the apply order is A->B, then the iframe related contents will also be removed.

[KawaiiZapic]

From a technical perspective, I guess it can be implemented. But it seems would disrupt user expectations in some cases.

For example, there are 2 plugins A and B. A allows iframe, while B doesn't allow it. If the apply order is A->B, then the iframe related contents will also be removed.

I think the example more look like a developer issue 🤔.
I don't think there is any case need to disallow a tag or something else, because a plugin is some code to add some new features but not to be a security guard.

About the security question, I think plugin can get a CSRF token from parser instance and apply to element, and then add a filter plugin at the bottom of process chain, to sanitize all insecure content in UGC.

[pd4d10]

and then add a filter plugin at the bottom of process chain

Yeah, If I don't understand it wrong, the current sanitize process is exactly the same as you described

Take the iframe case as an example, it can be added via rehype plugins. The sanitize step only takes effect once after remark process.

[github-actions]

This issue is stale because it has been open for 30 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 7 days since being marked as stale.

[aprendendofelipe]

What do you think about the plugin passing a schema instead of passing the function that handles the schema?

const remark = jojo.remake;
const sch = {
  tagNames: ["iframe"]
};

export default function ExamplePlugin {
  return {
    remark: u => u.use(remark),
    schema: sch
  }
}

So the main library is responsible for properly merging the schemas and sanitizing globally.

A special merge function will be needed to merge the arrays, but I think I have a good idea of how to do that.

That way plugins are prevented from deleting permissions needed by other plugins, they can only add.

Any other custom schemes are still possible by passing the sanitize function directly to the Editor or Viewer. Thus allowing new additions or deletions in the scheme.

[pd4d10]

That way plugins are prevented from deleting permissions needed by other plugins, they can only add.

This seems to be reasonable. But it would also lead to breaking changes, and need to be released as a major version.

I'll draft a v2 plan soon, including this feature.

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 7 days since being marked as stale.