James Britt
11/10/2004 9:23:00 PM
Dmitri Borodaenko wrote:
> On Tue, 9 Nov 2004 02:47:11 +0900, James Britt
> <jamesunderbarb@neurogami.com> wrote:
>
>>I added logging to my copy so that I could see what was being clobbered
>>during sanitization. Might be worth including this by default.
>
>
> Err, I can't throw Ruby dumps on unsuspecting Wiki users: my problem
> is not just to find the cause, but also to report it nicely.
>
>
>>I see that 'script' elements are deleted, as the yaml file makes no
>>mention of that element.
>
>
> Right, that was on purpose.
Ah, I see. I thought of this as the start of a general-purpose lib that
might then be used by some more specific application.
A suggestion (motivated by self-interest): arrange for the code to allow
all proper XHTML by default, with the option of passing in a set of
elements and/or attributes that are disallowed at validation time.
For example, if you decide to disallow style or class attributes, you
could pass this information in when calling sanitize
Perhaps sanitize could take an optional hash parameter
sanitize(html, filter = {} )
and disallowed elements/attribute could be specified in perhaps as
'script' => '', # no script element at all
'img' => 'usemap, height' # allow images, but
# no usemap or height attributes
'*' => 'style, class' # no class or style on any element
Just a thought; it's easy to make suggestions when you're not writing
the code ;)
This way, you need not keep editing the base yaml file when adjusting
what to sanitize.
James