Bug in allowed attributes

Question

Bug in allowed attributes

Narvey opened this issue 7 years ago · 3 comments

Narvey commented 7 years ago

sanitization_filter.rb has attributes (including color) that are listed as allowed, but do not work in GitHub.

For example, if I do:

<hr color="orange" />

It looks like:

Which is clearly grey, not orange. Also in order for the color attribute to be really useful, we need the "font" tag.

I'm not able to test all the others exhaustively, but some others that are rather strange are "checked", "selected", "action", "accesskey". Since form-related tags aren't allowed, I'm not sure what possible use these could have. For these four only, I recommend removing them from the list.

Answer 1 · 2017-12-14T12:38:27.000Z

I'll say that I don't really care how we get there (i.e. whitelisted style options, whitelisted tags/attributes/whatever) but it's pretty important to me to be able to at least somehow set font and background color, especially in a HTML table (th/td).

Answer 2 · 2017-12-18T17:51:54.000Z

This gem is this gem, and has no guarantee of usage in GitHub text fields. GitHub has configured their whitelist differently.