Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

It would be nice if FilterUrlByProtocolAttributePolicy was a bit more configurable #148

Open
xenomachina opened this issue Jun 22, 2018 · 2 comments

Comments

@xenomachina
Copy link

HtmlPolicyBuilder currently adds an instance of FilterUrlByProtocolAttributePolicy as a policy on a bunch of attributes. The only configuration that seems to affect it is the set of allowed protocols. It is also only inserted on attributes that already have attributes applied to them.

Currently I'm using a preprocessor to do the following:

  1. Resolving URLs against a "base" URL. For example, if my base URL is "http://example.com/base", then I want <a href="/foo"> to turn into <a href="http://example.com/foo">.

  2. When a URL is "unsafe" I replace it with with a safe URL (eg: ""), rather than eliminating the attribute entirely, so that <a href="evil:">click</a> would still be a link, it would just be "neutered", eg: <a href="">click</a>. To get this behavior, my preprocessor essentially needs to do the same job as FilterUrlByProtocolAttributePolicy, with this one tweak.

My preprocessor also has to duplicate HtmlPolicyBuilder.URL_ATTRIBUTE_NAMES, as it is private, and I haven't even worked out how to get it to work for URLs in styles properly yet.

Here's a straw-man proposal to make this a bit easier:

  1. Add the ability to provide a "URL preprocessor" that could transform URLs before FilterUrlByProtocolAttributePolicy filters them.

  2. Add the ability to provide a fallback URL that would be used in place of null. (To be safe, perhaps this URL should, itself, also be run through the filtering logic.)

@xenomachina
Copy link
Author

As an aside: I haven't had a chance to test this yet, but I think there may be a bug in the handling of the archive attribute in FilterUrlByProtocolAttributePolicy. The HTML 4.01 Specification says it's "a space-separated list of URIs", but from the code it looks like it's treated as a single URL.

@mikesamuel
Copy link
Contributor

Does the URL classifier meet your needs?

#126

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants