Topic: Is 'deny_attribute' a blacklist? Need whitelist.
Hi.
deny_attribute only allow to deny all or specified attributes. I only need to allow 3 attributes (src,style,size), so do i need to deny all other attributes?
Re: Is 'deny_attribute' a blacklist? Need whitelist.
The default whitelist used by htmLawed has 111 or so attributes, so one can have an effective whitelist of the three attributes by setting 'deny_attribute' to '[list of all 111 or so except the three]'. But that's definitely cumbersome.
The upcoming 1.1.8 release [in a day or two] of htmLawed includes a change that will allow a simpler '*-src -style -size'.
Re: Is 'deny_attribute' a blacklist? Need whitelist.
patnaik wrote:
The upcoming 1.1.8 release [in a day or two] of htmLawed...
I've been busy and the release will be delayed by a few days.
Re: Is 'deny_attribute' a blacklist? Need whitelist.
Version 1.1.8 has been released.
Re: Is 'deny_attribute' a blacklist? Need whitelist.
Hi, until now I was using configuration "safe"=>"1" (or something like that) and it seems that it was doing what i needed. Thanks, anyway.