Overly restrictive of data: URIs

[ndrezn]

Hi folks, this package disallows data: URIs wholesale, which can be susceptible to the XSS exploit. However, there are cases where it's still a useful standard. Over in https://github.com/plotly/dash, we're using this project to sanitize URIs to protect against XSS, but some users have brought up that blanket prevention of data: can be overly restrictive (plotly/dash#2764).

This may not be an issue with this package per se, but the question is whether it is a reasonable approach to blanket disallow data: or whether there is a more fine-grained sanitation scheme that might allow certain kinds of valid data: URLs; maybe this is something maintainers of this package have thought about. Thanks!

[ndrezn]

For example, Mozilla has a broader definition of allowed data: URIs:

Whereas the following cases will be allowed:

• User explicitly entering/pasting “data:…” into the address bar
• Opening all plain text data files
• Opening “data:image/*” in top-level window, unless it’s “data:image/svg+xml”
• Opening “data:application/pdf” and “data:application/json”
• Downloading a data: URL, e.g. ‘save-link-as’ of “data:…”

See: https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-59/

[ibooker]

Hello,
We'll take a closer look at this issue.

Thanks for sharing.
(internal tracking BTWEB-1172)