Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

ID attribute from link gets filtered out #355

Closed
brantje opened this issue Oct 13, 2014 · 5 comments
Closed

ID attribute from link gets filtered out #355

brantje opened this issue Oct 13, 2014 · 5 comments

Comments

@brantje
Copy link

brantje commented Oct 13, 2014

Hello,
When i use

 <div class="title"><a class="overview" id="overview">Overview</a></div>

I get the following back:

 <div class="title"><a class="overview">Overview</a></div>

Why is the id stripped? It is allowed in the HTML specifications
Same happens to divs, spans, etc
@SimeonC
Copy link
Collaborator

SimeonC commented Oct 13, 2014

I'm not sure, probably something to do with the sanitizer (taSanitize or in textAngular-sanitize). I'll look into this in the next couple of weeks hopefully. Could you give some more specific steps to reproduce this just to help me get started quicker when I get around to it please?

Also it might be good to have a look over at the main angular repo to see if anyone has this issue in the main angular-sanitize.

@p1100i
Copy link
Contributor

p1100i commented Oct 14, 2014

I can +1 this, in my usecase, I add an element (img tag) with some data- attributes by using range.insertNode into the contentEditable HTML. After this, $sanitize removes them on https://github.com/fraywing/textAngular/blob/master/src/textAngular.js#L1427

Reproduction steps on http://textangular.com in your browser console with $ though, should use the same DOM API as range.insertNode I think, anyways its the same problem for me:

img = document.createElement('img');
img.setAttribute('data-x', 'x-as-data');
img.setAttribute('class', 'x-as-class');
$editorHTML = $('[contentEditable]');
$editorHTML.appendChild(img);

Focus in-and-out from the HTML editor to trigger sanitize and see the result inside the HTML-content field below the editor. x-as-class is kept, x-as-data gets removed.

Not sure if it can be abused but IMHO data- tags should not be removed from inserted nodes.

Anyways, on this issue I have a question for you @SimeonC. My user-input gets sanitized in back-end anyways and the editor gets always started without content. I think I could just skip the whole sanitizer, or am I missing something? Could you link something how to do that (skip sanitize)? edit Just found setting ta-unsafe-sanitizer=true attribute on the editor-directive tag does that. /edit

@brantje
Copy link
Author

brantje commented Oct 14, 2014

My use case
<a id="faq">Faq</a>

@SimeonC
Copy link
Collaborator

SimeonC commented Oct 14, 2014

Looking through the sanitizer the id attribute is not in the whitelist, I'm still waiting on the main repo to implement the ability to modify the whitelist without being forced to edit the source. I'll need to have a quick look around to try figure out why id is sanitized, if I can't find an acceptable reason and or workaround I'll just enable it by default.

@burninggramma In the 1.3.0-preX releases and in 1.3.0 when I release it, has support for a ta-unsafe-sanitizer which turns the sanitizer off.

@p1100i
Copy link
Contributor

p1100i commented Oct 15, 2014

@SimeonC well, it works for me with 1.2.2 [:

@DaveLindberg DaveLindberg mentioned this issue Apr 22, 2015
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@SimeonC @p1100i @brantje