Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to not remove comments on scrub! #86

Closed
brauliobo opened this issue Apr 8, 2015 · 6 comments
Closed

Option to not remove comments on scrub! #86

brauliobo opened this issue Apr 8, 2015 · 6 comments
Labels
discussion

Comments

@brauliobo
Copy link

Is there a way to NOT remove comments on scrub!?
@brauliobo
Copy link
Author

Just adding COMMENT_NODE to htmllib_sanitize solved:

# do not escape COMMENT_NODE                                                        
require 'loofah/scrubber'                                                           
module Loofah
  class Scrubber
    private

    def html5lib_sanitize node                                                      
      case node.type                                                                
      when Nokogiri::XML::Node::ELEMENT_NODE                                        
        if HTML5::Scrub.allowed_element? node.name                                  
          HTML5::Scrub.scrub_attributes node                                        
          return Scrubber::CONTINUE
        end
      when Nokogiri::XML::Node::TEXT_NODE, Nokogiri::XML::Node::CDATA_SECTION_NODE,Nokogiri::XML::Node::COMMENT_NODE
        return Scrubber::CONTINUE                                                   
      end
      Scrubber::STOP
    end 

  end 
end

@flavorjones
Copy link
Owner

Hi! Thanks for asking this question.

Can you tell me a little bit more about your use case? What do you want to do that Loofah's not currently allowing you to do? Can you share the code snippet and test case that tells me what you'd like to do?

@brauliobo
Copy link
Author

Loofah is removing HTML comments, which I find useful and always safe to have, for example:

<html>
<body>
   <!-- my comment about something -->
</body>
</html>

The above comment is removed by Loofah.

@Qqwy
Copy link

Qqwy commented Feb 18, 2016

Another usecase would be (cringes...) IE conditional comments.

@flavorjones
Copy link
Owner

flavorjones commented Feb 11, 2018
edited
Loading

@Qqwy the reason that comments are scrubbed is precisely what you suggest; that there could be unescaped HTML and/or javascript in the comment that would be executed by the browser.

Given that, I guess we could recursively escape the contents of the comment, similar to what we do with the contents of a script tag (see #132 for specifics) ... my question, given the lack of activity in this issue, is: is it worth the effort?

Would love to hear what Loofah and Rails users think.

@flavorjones
Copy link
Owner

It looks like there's not interest in addressing this concern, so I'm closing this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@flavorjones @brauliobo @Qqwy