254
edits
Platform/HTML5 sanitizer: Difference between revisions
Jump to navigation
Jump to search
→Gecko Requirements
| Line 5: | Line 5: | ||
* Have three element white lists: HTML, SVG and MathML. | * Have three element white lists: HTML, SVG and MathML. | ||
* Have three attribute white lists: HTML, SVG and MathML. The attributes don't depend on the element they are on beyond the element namespace. | * Have three attribute white lists: HTML, SVG and MathML. The attributes don't depend on the element they are on beyond the element namespace. | ||
* Have | * Have three lists of attributes that take URLs. Drop the attributes when they have prohibited URLs (after trimming whitespace from the value). | ||
** Resolve relative URLs into absolute ones using a per fragment base URL. (Is this correct for Gecko reqs?) | ** Resolve relative URLs into absolute ones using a per fragment base URL. (Is this correct for Gecko reqs?) | ||
** Why is whitespace trimmed before the security check? | ** Why is whitespace trimmed before the security check? | ||
** However, allow any URL in the src attribute on the img element, because imgs are safe. | ** However, allow any URL in the src attribute on the img element, because imgs are safe. | ||
*** Why risk this? | *** Why risk this? | ||
* Have a list of SVG attributes that take different-document references. | |||
* Have a list of SVG attributes that are allowed to have same-document references only. | |||
* If styles are allowed, sanitize style attribute values. If styles aren't allowed, drop the style attribute. | * If styles are allowed, sanitize style attribute values. If styles aren't allowed, drop the style attribute. | ||
* Always drop script and title elements and their contents. | * Always drop script and title elements and their contents. | ||