-
Notifications
You must be signed in to change notification settings - Fork 142
/
default.rb
123 lines (106 loc) · 4.68 KB
/
default.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# frozen_string_literal: true
class Sanitize
module Config
DEFAULT = freeze_config(
# HTML attributes to add to specific elements. By default, no attributes
# are added.
add_attributes: {},
# Whether or not to allow HTML comments. Allowing comments is strongly
# discouraged, since IE allows script execution within conditional
# comments.
allow_comments: false,
# Whether or not to allow well-formed HTML doctype declarations such as
# "<!DOCTYPE html>" when sanitizing a document. This setting is ignored
# when sanitizing fragments.
allow_doctype: false,
# HTML attributes to allow in specific elements. By default, no attributes
# are allowed. Use the symbol :data to indicate that arbitrary HTML5
# data-* attributes should be allowed.
attributes: {},
# CSS sanitization settings.
css: {
# Whether or not to allow CSS comments.
allow_comments: false,
# Whether or not to allow browser compatibility hacks such as the IE *
# and _ hacks. These are generally harmless, but technically result in
# invalid CSS.
allow_hacks: false,
# CSS at-rules to allow that may not have associated blocks (e.g.
# "import").
#
# https://developer.mozilla.org/en-US/docs/Web/CSS/At-rule
at_rules: [],
# CSS at-rules to allow whose blocks may contain properties (e.g.
# "font-face").
at_rules_with_properties: [],
# CSS at-rules to allow whose blocks may contain styles (e.g. "media").
at_rules_with_styles: [],
# CSS properties to allow.
properties: [],
# URL protocols to allow in CSS URLs.
protocols: []
},
# HTML elements to allow. By default, no elements are allowed (which means
# that all HTML will be stripped).
#
# Warning: Sanitize cannot safely sanitize the contents of foreign
# elements (elements in the MathML or SVG namespaces). Do not add `math`
# or `svg` to this list! If you do, you may create a security
# vulnerability in your application.
elements: [],
# HTML parsing options to pass to Nokogumbo.
# https://github.com/rubys/nokogumbo/tree/v2.0.1#parsing-options
parser_options: {},
# URL handling protocols to allow in specific attributes. By default, no
# protocols are allowed. Use :relative in place of a protocol if you want
# to allow relative URLs sans protocol.
protocols: {},
# If this is true, Sanitize will remove the contents of any filtered
# elements in addition to the elements themselves. By default, Sanitize
# leaves the safe parts of an element's contents behind when the element
# is removed.
#
# If this is an Array or Set of element names, then only the contents of
# the specified elements (when filtered) will be removed, and the contents
# of all other filtered elements will be left behind.
remove_contents: %w[
iframe math noembed noframes noscript plaintext script style svg xmp
],
# Transformers allow you to filter or alter nodes using custom logic. See
# README.md for details and examples.
transformers: [],
# Elements which, when removed, should have their contents surrounded by
# values specified with `before` and `after` keys to preserve readability.
# For example, `foo<div>bar</div>baz` will become 'foo bar baz' when the
# <div> is removed.
whitespace_elements: {
"address" => {before: " ", after: " "},
"article" => {before: " ", after: " "},
"aside" => {before: " ", after: " "},
"blockquote" => {before: " ", after: " "},
"br" => {before: " ", after: " "},
"dd" => {before: " ", after: " "},
"div" => {before: " ", after: " "},
"dl" => {before: " ", after: " "},
"dt" => {before: " ", after: " "},
"footer" => {before: " ", after: " "},
"h1" => {before: " ", after: " "},
"h2" => {before: " ", after: " "},
"h3" => {before: " ", after: " "},
"h4" => {before: " ", after: " "},
"h5" => {before: " ", after: " "},
"h6" => {before: " ", after: " "},
"header" => {before: " ", after: " "},
"hgroup" => {before: " ", after: " "},
"hr" => {before: " ", after: " "},
"li" => {before: " ", after: " "},
"nav" => {before: " ", after: " "},
"ol" => {before: " ", after: " "},
"p" => {before: " ", after: " "},
"pre" => {before: " ", after: " "},
"section" => {before: " ", after: " "},
"ul" => {before: " ", after: " "}
}
)
end
end