Python Bleach: is there any way to strip tags that are disallowed rather than allowed?
Question
I am aware that Bleach takes a list of ALLOWED_TAGS and strips out any tags not in that list when performing clean() .
Is there a way to flip that around and strip tags based on those that are defined as disallowed? In other words, start by assuming everything is allowed, but then strip any tags that are not permitted.
For example, if there was a DISALLOWED_TAGS setting, anything in that list would be stripped. I'm not aware of any option like this, however.
I thought about setting ALLOWED_TAGS to a function (as ALLOWED_ATTRIBUTES allows) but it only seems to accept a list.
I am similarly interested in whether this can be done for ALLOWED_STYLES .
I am just looking at this from a theoretical standpoint and not whether it's actually best practice.
1 answers
solution1
1 ACCPTED 2020-08-20 17:19:48
No, specifically for Bleach, there is no way and it will not be supported in the future. The first entry on the page with project goals says Bleach will...
Always take a allowed-list-based approach
Bleach should always take a allowed-list-based approach to markup filtering. Specifying disallowed lists is error-prone and not future proof.
For example, you should have to opt-in to allowing the onclick attribute, not opt-out of all the other on* attributes. Future versions of HTML may add new event handlers, like ontouch, that old disallow would not prevent.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.