Removal of <textarea> wrap attribute

[ghost]

Background & Context

It looks like DOMPurify is removing the wrap attribute on elements like <textarea>.

Bug

Is this intentional? I'm guessing it might be a side-effect of something else, but if it's intentional, could you share some info on the risks created by this attribute or others like it?

Input

<textarea
    rows = '1'
    cols = '20'
    wrap = 'soft'>
</textarea>

Given output

<textarea
    rows = '1'
    cols = '20'>
</textarea>

Expected output

<textarea
    rows = '1'
    cols = '20'
    wrap = 'soft'>
</textarea>

Feature

If this attribute is being removed not because of a direct risk, but as a side-effect of something else, could that behavior be reversed without much trouble?

[cure53]

Hey there, thanks for raising this - as far as I can see, there is no security-related reason for removing the wrap attribute, we should safely be able to add it.

Wanna spin up a PR? :)

[ghost]

Thanks for the quick response! And also for the great library.

I'm not too familiar with its internal workings, but I did a quick review and I think (hope) the fix was just adding the wrap attribute to the html list in attrs.js? I opened a PR with that change, if that's hopefully all that was needed.

[cure53]

This looks great, thank you :)