-
Notifications
You must be signed in to change notification settings - Fork 41
How to Sanitize with Unknown incoming HTML tags [Can't whitelist]? #44
Comments
Is there any way to whitelist around 100 tags and 200 attributes in bulk without creating extension for that? I want to whitelist these all tags
and these all attributes
Specifically i am looking for support for this plugin https://github.com/wiris/ckeditor5-mathml/ |
Hello @rohitcoder ! This library works on a whiteliste basis, meaning that you will have to enable every tag and attribute that you want to keep, either using configuration or extensions. If you wish to be very generic, you can use something like http://htmlpurifier.org which is more open than HtmlSanitizer. Note however that using htmlpurifier with default options means you may receive HTML/CSS that could break your display if not handled properly (position absolute, large images, ...). HtmlSanitizer is very useful when you want to allow only a specific list of tags and attributes and ensure you won't get anything else in the output. This allows you to be safe regarding security, but also to exhaustively handle all the possible tags in your CSS. In your specific use-case, I think you can create an extension that would list all the tags you have an associate them to a dynamic node. Something like:
|
Hi @tgalopin I am working on getting it done on my side (Getting some problems, and there is little bit typo and multiple confusions in docs "Create Extensions"), I would suggest you to implement this "Mathml" Extension as optional extension by default in this Sanitizer. Maintainers of MathMl team were looking for some good sanitizers few years back but i think still, they don't have any good working sanitizer you can have a look at this thread ezyang/htmlpurifier#200 It would be really good, if you implement this as optional like other Available extensions, MathMl is very famous tool and giving add-on support to that tool will be a great idea for this sanitizer. |
Hi @tgalopin, I forked this Repo, and added "MathMl" Extension let me know, if you are happy with pull request? You can see my commit here rohitcoder@602ed31 (Really big commit..). If you think there is any security issue with my commit, let me know :) , I allowed almost all custom attributes on each custom tags which is used by MathMl, but i also removed "xlink:href" custom attribute from all custom tags because this is prone to XSS as someone reported in H1 https://hackerone.com/reports/502926. However, i added sanitizer to mactionNodeVisitor because it's known it is used to put some hyperlinks there, so now it can be sanitized and for rest of all tags this attribute is removed by default. You can see this here - https://github.com/rohitcoder/html-sanitizer/blob/d41afa006d563359d075b4745e6b8350e220508e/src/Extension/MathMl/NodeVisitor/mactionNodeVisitor.php For, now i am adding details in my Repo that this is fork is available with "MathMl" it would be good, if you also make this available from your own repo, as i mentioned early it is one of the most famous math rendering tool in WYSWYG editors. BTW, i also mentioned your docs are little bit confusing and there is one typo in https://github.com/tgalopin/html-sanitizer/edit/master/docs/2-creating-an-extension-to-allow-custom-tags.md (LINE 136) i think you have typo there instead of } it should be ] $sanitizer = $builder->build([
'extensions' => ['basic', 'list', 'my-tag'],
} <== Here ); Again thanks for this awesome sanitizer! |
Thanks! Don't hesitate to open a PR, I'll have a look! Also: you can open a PR for the doc typo, I'd be happy to merge it! |
Hi @tgalopin ,
Thanks for this great Sanitizer!
So, we are in a situation where we can't WhiteList Tags, we are using CKeditor5 and using that our user will generate any kind of content, and those content may contain variety of custom tags For example have a look at this.
Now, I want to store this whole text in my DB, but i don't want any incoming XSS/SQLi scripts or tags. How it can be done? I was going through internal codebase of this project, and it seems i can add my own tags or i can introduce my own Custom Extension, but i would need to Whitelist tags, and attributes. How it can be done without whitelisting such tags?
The text was updated successfully, but these errors were encountered: