Consider providing a way to sanitize attribute values more generally #4
Comments
shhnjk
changed the title
|
Oh, maybe it has regex? That might be good enough then :) |
|
General comment: This repo was my attempt at (re-)starting the discussion around a sanitizer. Meanwhile, all work has migrated to https://github.com/WICG/sanitizer-api, which has active participants from multiple browsers, and we'd very happily welcome more! :-) I intend to archive this repo. A closely related issue is being discussed here: WICG/sanitizer-api#26 The general consensus there is to initially keep it simple, and to then extend according to developer needs. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Providing only way to sanitize attribute value using URL format might not be enough for some people, and I don't see (sorry if there is, just looked this quick) any way to sanitize attribute value except URL.
For example, Script Gadgets shows that sometimes, XSS could occur from id attribute (which is usually safe) with the help of frameworks.
For each website to block id attribute as a whole seems like a fragile approach. We should probably provide a way for people to declare custom sanitizer function for attribute value, or a way to list allowed attribute values at least.
The text was updated successfully, but these errors were encountered: