Ammonia - whitelist a scheme for one tag, remove for another

shekyan · October 14, 2019, 10:41pm

Hi! First topic.

Ammonia is a great piece of a tool, but sanitization sometimes needs to be more granular.
For example, I cannot figure out if it is possible to whitelist a scheme for one tag attribute, but remove it for another.

    <img src='data:text/plain;charset=utf-8;base64,..'>

is a relatively harmless code, while

 <a href='data:text/plain;charset=utf-8;base64,..'>...</a>

might not be.

shekyan · October 14, 2019, 11:12pm

And the answer is obvious, if we are ok with having data scheme everywhere except anchor tag:

Builder::default()
.add_url_schemes(&["data"])
    .attribute_filter(move |element, attribute, value| {
        match (element, attribute) {
            ("a", "href") => {
                if value.starts_with("data:") {
                    return None
                }
                Some(value.into())
            },
            _ => Some(value.into())
        }
    })
  ....

system · January 12, 2020, 11:12pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ammonia add A tag attribute help	3	447	January 12, 2023
An HTML sanitizer written in Rust announcements	1	1217	January 10, 2023
Märkəd (new crate release) community	11	1270	July 11, 2020
New templating engine help	4	914	January 12, 2023
Feature Request: update Disourse settings to whitelist "doc.rust-lang.org" for "nofollow"-links meta	1	657	January 12, 2023

Ammonia - whitelist a scheme for one tag, remove for another

Related Topics