Ammonia - whitelist a scheme for one tag, remove for another

Hi! First topic.

Ammonia is a great piece of a tool, but sanitization sometimes needs to be more granular.
For example, I cannot figure out if it is possible to whitelist a scheme for one tag attribute, but remove it for another.

    <img src='data:text/plain;charset=utf-8;base64,..'> 

is a relatively harmless code, while

 <a href='data:text/plain;charset=utf-8;base64,..'>...</a>

might not be.

And the answer is obvious, if we are ok with having data scheme everywhere except anchor tag:

Builder::default()
.add_url_schemes(&["data"])
    .attribute_filter(move |element, attribute, value| {
        match (element, attribute) {
            ("a", "href") => {
                if value.starts_with("data:") {
                    return None
                }
                Some(value.into())
            },
            _ => Some(value.into())
        }
    })
  ....
1 Like