Skip to content

Commit

Permalink
Organize the README's whitelisted elements a bit better
Browse files Browse the repository at this point in the history
  • Loading branch information
gjtorikian committed Aug 21, 2014
1 parent 90a4042 commit 14fc76b
Showing 1 changed file with 197 additions and 19 deletions.
216 changes: 197 additions & 19 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,32 +37,210 @@ Or, more realistically:
require 'github/markup'
GitHub::Markup.render(file, File.read(file))

Contributing
------------

See [Contributing](CONTRIBUTING.md)

HTML sanitization
-----------------

HTML rendered by the various markup language processors gets passed through an [HTML sanitization filter](https://github.com/jch/html-pipeline/blob/master/lib/html/pipeline/sanitization_filter.rb) for security reasons. HTML elements not in the whitelist are removed. HTML attributes not in the whitelist are removed from the preserved elements.

The following HTML elements, organized by category, are whitelisted:

* Headings: h1, h2, h3, h4, h5, h6, h7, h8
* Prose: p, div, blockquote
* Preformatted: pre
* Inline: b, i, strong, em, tt, code, ins, del, sup, sub, kbd, samp, q, var
* Lists: ol, ul, li, dl, dt, dd
* Tables: table, thead, tbody, tfoot, tr, td, th
* Breaks: br, hr
* Ruby (East Asian): ruby, rt, rp
<dl>
<dt>Headings</dt>
<dd>
<ul>
<li><code>h1</code></li>
<li><code>h2</code></li>
<li><code>h3</code></li>
<li><code>h4</code></li>
<li><code>h5</code></li>
<li><code>h6</code></li>
<li><code>h7</code></li>
<li><code>h8</code></li>
</ul>
</dd>

<dt>Prose</dt>
<dd>
<ul>
<li><code>p</code></li>
<li><code>div</code></li>
<li><code>blockquote</code></li>
</ul>
</dd>

<dt>Formatted</dt>
<dd>
<ul>
<li><code>pre</code></li>
</ul>
</dd>

<dt>Inline</dt>
<dd>
<ul>
<li><code>b</code></li>
<li><code>i</code></li>
<li><code>strong</code></li>
<li><code>em</code></li>
<li><code>tt</code></li>
<li><code>code</code></li>
<li><code>ins</code></li>
<li><code>del</code></li>
<li><code>sup</code></li>
<li><code>sub</code></li>
<li><code>kbd</code></li>
<li><code>samp</code></li>
<li><code>q</code></li>
<li><code>var</code></li>
</ul>
</dd>

<dt>Lists</dt>
<dd>
<ul>
<li><code>ol</code></li>
<li><code>ul</code></li>
<li><code>li</code></li>
<li><code>dl</code></li>
<li><code>dt</code></li>
<li><code>dd</code></li>
</ul>
</dd>

<dt>Tables</dt>
<dd>
<ul>
<li><code>table</code></li>
<li><code>thead</code></li>
<li><code>tbody</code></li>
<li><code>tfoot</code></li>
<li><code>tr</code></li>
<li><code>td</code></li>
<li><code>th</code></li>
</ul>
</dd>

<dt>Breaks</dt>
<dd>
<ul>
<li><code>br</code></li>
<li><code>hr</code></li>
</ul>
</dd>

<dt>Ruby (East Asian)</dt>
<dd>
<ul>
<li><code>ruby</code></li>
<li><code>rt</code></li>
<li><code>rp</code></li>
</ul>
</dd>
</dl>

The following attributes, organized by element, are whitelisted:

* a: href (http://, https://, mailto://, github-windows:// and github-mac:// URI schemes and relative paths only)
* img: src (http:// and https:// URI schemes and relative paths only)
* div: itemscope, itemtype
* all: abbr, accept, accept-charset, accesskey, action, align, alt, axis, border, cellpadding, cellspacing, char, charoff, charset, checked, cite, clear, cols, colspan, color, compact, coords, datetime, dir, disabled, enctype, for, frame, headers, height, hreflang, hspace, ismap, label, lang, longdesc, maxlength, media, method, multiple, name, nohref, noshade, nowrap, prompt, readonly, rel, rev, rows, rowspan, rules, scope, selected, shape, size, span, start, summary, tabindex, target, title, type, usemap, valign, value, vspace, width, itemprop

Note that the id attribute is *not* whitelisted.

Contributing
------------

See [Contributing](CONTRIBUTING.md)
<dl>
<dt><code>a</code></dt>
<dd>
<ul>
<li><code>href</code> (<code>http://</code>, <code>https://</code>, <code>mailto://</code>, <code>github-windows://</code>, and <code>github-mac://</code> URI schemes and relative paths only)</li>
</ul>
</dd>

<dt><code>img</code></dt>
<dd>
<ul>
<li><code>src</code> (<code>http://</code> and <code>https://</code> URI schemes and relative paths only)</li>
</ul>
</dd>

<dt><code>div</code></dt>
<dd>
<ul>
<li><code>itemscope</code></li>
<li><code>itemtype</code></li>
</ul>
</dd>

<dt>All</dt>
<dd>
<ul>
<li><code>abbr</code></li>
<li><code>accept</code></li>
<li><code>accept-charset</code></li>
<li><code>accesskey</code></li>
<li><code>action</code></li>
<li><code>align</code></li>
<li><code>alt</code></li>
<li><code>axis</code></li>
<li><code>border</code></li>
<li><code>cellpadding</code></li>
<li><code>cellspacing</code></li>
<li><code>char</code></li>
<li><code>charoff</code></li>
<li><code>charset</code></li>
<li><code>checked</code></li>
<li><code>cite</code></li>
<li><code>clear</code></li>
<li><code>cols</code></li>
<li><code>colspan</code></li>
<li><code>color</code></li>
<li><code>compact</code></li>
<li><code>coords</code></li>
<li><code>datetime</code></li>
<li><code>dir</code></li>
<li><code>disabled</code></li>
<li><code>enctype</code></li>
<li><code>for</code></li>
<li><code>frame</code></li>
<li><code>headers</code></li>
<li><code>height</code></li>
<li><code>hreflang</code></li>
<li><code>hspace</code></li>
<li><code>ismap</code></li>
<li><code>label</code></li>
<li><code>lang</code></li>
<li><code>longdesc</code></li>
<li><code>maxlength</code></li>
<li><code>media</code></li>
<li><code>method</code></li>
<li><code>multiple</code></li>
<li><code>name</code></li>
<li><code>nohref</code></li>
<li><code>noshade</code></li>
<li><code>nowrap</code></li>
<li><code>prompt</code></li>
<li><code>readonly</code></li>
<li><code>rel</code></li>
<li><code>rev</code></li>
<li><code>rows</code></li>
<li><code>rowspan</code></li>
<li><code>rules</code></li>
<li><code>scope</code></li>
<li><code>selected</code></li>
<li><code>shape</code></li>
<li><code>size</code></li>
<li><code>span</code></li>
<li><code>start</code></li>
<li><code>summary</code></li>
<li><code>tabindex</code></li>
<li><code>target</code></li>
<li><code>title</code></li>
<li><code>type</code></li>
<li><code>usemap</code></li>
<li><code>valign</code></li>
<li><code>value</code></li>
<li><code>vspace</code></li>
<li><code>width</code></li>
<li><code>itemprop</code></li>
</ul>
</dd>
</dl>

Note that the `id` attribute is *not* whitelisted.

0 comments on commit 14fc76b

Please sign in to comment.