doc: update documentation for nonbooleanattributes

apostrophecms · Jun 5, 2023 · cefe12d · cefe12d
1 parent aff7818
commit cefe12d
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@
 - Add `.idea` temp files to `.gitignore`
 - Thanks to [Vitalii Shpital](https://github.com/VitaliiShpital) for the updates!
 - Show parseStyleAttributes warning in browser only. Thanks to [mog422](https://github.com/mog422) for this update!
+- Remove empty non-boolean attributes via exhaustive list of known attributes.
 
 ## 2.10.0 (2023-02-17)
 

diff --git a/README.md b/README.md
@@ -8,7 +8,10 @@ sanitize-html provides a simple HTML sanitizer with a clear API.
 
 sanitize-html is tolerant. It is well suited for cleaning up HTML fragments such as those created by CKEditor and other rich text editors. It is especially handy for removing unwanted CSS when copying and pasting from Word.
 
-sanitize-html allows you to specify the tags you want to permit, and the permitted attributes for each of those tags.
+sanitize-html allows you to specify the tags you want to permit, and the permitted
+attributes for each of those tags. If an attribute is a known non-boolean value,
+and it is empty, it will be removed. For example `checked` can be empty, but `href`
+cannot.
 
 If a tag is not permitted, the contents of the tag are not discarded. There are
 some exceptions to this, discussed below in the "Discarding the entire contents
@@ -125,6 +128,48 @@ allowedTags: [
   "small", "span", "strong", "sub", "sup", "time", "u", "var", "wbr", "caption",
   "col", "colgroup", "table", "tbody", "td", "tfoot", "th", "thead", "tr"
 ],
+nonBooleanAttributes: [
+  'abbr', 'accept', 'accept-charset', 'accesskey', 'action',
+  'allow', 'alt', 'as', 'autocapitalize', 'autocomplete',
+  'blocking', 'charset', 'cite', 'class', 'color', 'cols',
+  'colspan', 'content', 'contenteditable', 'coords', 'crossorigin',
+  'data', 'datetime', 'decoding', 'dir', 'dirname', 'download',
+  'draggable', 'enctype', 'enterkeyhint', 'fetchpriority', 'for',
+  'form', 'formaction', 'formenctype', 'formmethod', 'formtarget',
+  'headers', 'height', 'hidden', 'high', 'href', 'hreflang',
+  'http-equiv', 'id', 'imagesizes', 'imagesrcset', 'inputmode',
+  'integrity', 'is', 'itemid', 'itemprop', 'itemref', 'itemtype',
+  'kind', 'label', 'lang', 'list', 'loading', 'low', 'max',
+  'maxlength', 'media', 'method', 'min', 'minlength', 'name',
+  'nonce', 'optimum', 'pattern', 'ping', 'placeholder', 'popover',
+  'popovertarget', 'popovertargetaction', 'poster', 'preload',
+  'referrerpolicy', 'rel', 'rows', 'rowspan', 'sandbox', 'scope',
+  'shape', 'size', 'sizes', 'slot', 'span', 'spellcheck', 'src',
+  'srcdoc', 'srclang', 'srcset', 'start', 'step', 'style',
+  'tabindex', 'target', 'title', 'translate', 'type', 'usemap',
+  'value', 'width', 'wrap',
+  // Event handlers
+  'onauxclick', 'onafterprint', 'onbeforematch', 'onbeforeprint',
+  'onbeforeunload', 'onbeforetoggle', 'onblur', 'oncancel',
+  'oncanplay', 'oncanplaythrough', 'onchange', 'onclick', 'onclose',
+  'oncontextlost', 'oncontextmenu', 'oncontextrestored', 'oncopy',
+  'oncuechange', 'oncut', 'ondblclick', 'ondrag', 'ondragend',
+  'ondragenter', 'ondragleave', 'ondragover', 'ondragstart',
+  'ondrop', 'ondurationchange', 'onemptied', 'onended',
+  'onerror', 'onfocus', 'onformdata', 'onhashchange', 'oninput',
+  'oninvalid', 'onkeydown', 'onkeypress', 'onkeyup',
+  'onlanguagechange', 'onload', 'onloadeddata', 'onloadedmetadata',
+  'onloadstart', 'onmessage', 'onmessageerror', 'onmousedown',
+  'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout',
+  'onmouseover', 'onmouseup', 'onoffline', 'ononline', 'onpagehide',
+  'onpageshow', 'onpaste', 'onpause', 'onplay', 'onplaying',
+  'onpopstate', 'onprogress', 'onratechange', 'onreset', 'onresize',
+  'onrejectionhandled', 'onscroll', 'onscrollend',
+  'onsecuritypolicyviolation', 'onseeked', 'onseeking', 'onselect',
+  'onslotchange', 'onstalled', 'onstorage', 'onsubmit', 'onsuspend',
+  'ontimeupdate', 'ontoggle', 'onunhandledrejection', 'onunload',
+  'onvolumechange', 'onwaiting', 'onwheel'
+],
 disallowedTagsMode: 'discard',
 allowedAttributes: {
   a: [ 'href', 'name', 'target' ],
@@ -167,6 +212,14 @@ allowedTags: false,
 allowedAttributes: false
 ```
 
+#### "What if I want to allow empty attributes?"
+
+Very simple! Set `nonBooleanAttributes` to `[]`.
+
+```js
+nonBooleanAttributes: []
+```
+
 #### "What if I don't want to allow *any* tags?"
 
 Also simple!  Set `allowedTags` to `[]` and `allowedAttributes` to `{}`.