-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
otherMarkup #240
Comments
[Follow-up from meeting today:] I removed An empty allow list now allows everything. That is:
One oddity this has is that removing elements can allow more of them. E.g.:
Does this reflect group consensus? One item that came up when discussing this with Guillaume: Can we distinguish between a missing list and an empty one? That is, |
I think the policy manipulation methods having some weird side effects is okay, although it does make me wonder whether we need to think even harder about the names and also whether we might need more fine-grained manipulation methods in the future. Like if you do It's certainly possible IDL-wise to distinguish between an empty list and a missing list. |
Good point. The way it's currently written (https://pr-preview.s3.amazonaws.com/otherdaniel/purification/pull/237.html#sanitizer-allowelement, step 2 + 3) is that is always adds to the per-element lists.
In order to set the per-element attributes, one would have to remove it and then allow it again. Not sure if that's what we want... I admittedly didn't think too much about that. :/
Ah. In that case, I think I'd like to change it to: empty list allowing nothing; missing list meaning no constraint (aka, allowing everything). That seems more consistent. |
Given that we don't have fine-grained operations I think replacing (set semantics) is probably what we want. You don't want multiple of the same element in the list and have to deal with deduplication later and you also don't really want more complicated merge semantics than replace I'd think.
That sounds reasonable. And then |
Done.
In the current PR, nothing throws. The old spec had an elaborate "canonicalization" step, and would throw if that encountered ambiguities. That makes sense for an immutable object, where the construction is also the final state of the object. In this PR, we define modifier methods, that would presumably be called a number of times. These methods just "make it fit" instead of throwing. E.g., if you add an element to the allow list, it'll simply remove it from the remove-list. Initialization from a dictionary is now re-written in terms of those manipulation methods. The consequence of that is that it doesn't throw anymore at all. (There's an ISSUE: about that in the draft.) If we don't want that, I can see several ways: We could make the manipulation methods throw. (E.g., removeElement would throw if that particular element is in the allow list.) I'm skeptical here, because I think that makes it very easy to write code that will fail in practice if the underlying sanitizer has changed from what the code writer was expecting. We could keep the manipulation methods als always succeeding, but throw when constructing from a dictionary. I guess if we have an allow-list then any removeElement entry is redundant. I guess we could throw for any config that has both allow and remove lists. |
I was expecting that dictionary construction would still throw for the cases we discussed:
I agree that ideally the manipulation methods always succeed, even if they might not do what you expect. But they would still guarantee some kind of "canonical model" underneath and not allow for duplicates or the ability to end up with redundant lists internally. |
I now added checks & throwing back in for the constructor. |
Comment on #237 (comment): "We should not need otherMarkup"
[Splitting this out from discussion on #237]
I re-introduced
otherMarkup
, because I wanted a way to express the behaviour ofsetHTMLUnsafe
without parameters. The requirements, I take it, are:parseHTMLUnsafe
/setHTMLUnsafe("...")
(without passing in a config) should not modify the parse result.setHTMLUnsafe("...")
==setHTMLUnsafe("...", {})
==setHTMLUnsafe("...", {sanitizer: {})
Generally, I see 3 options to satisfy these:
otherMarkup
(or somesuch), so that we can have an unsafe-default config that will pass through all markup.otherMarkup
, but tie it to the method invocation.setHTML("<bla>", {sanitizer: s})
would behave differently fromsetHTMLUnsafe("<bla>", {sanitizer: s})
setHTMLUnsafe("...")
does somethingsetHTMLUnsafe("...", {sanitizer: s})
can't, for any value ofs
.I have a mild preference for the first; but can live with any of them.
The text was updated successfully, but these errors were encountered: