Add support for allowing data properties through data*

This new feature allows passing `data*` in `attributes`, on any
element or on all elements (`'*'`), which results in all data
properties being allowed in HAST and not sanitised away.

Closes remarkjs/remark-vdom#1.

Author: wooorm

lib/index.js

@@ -173,7 +173,10 @@ function handleProperties(schema, properties, node, stack) {
   for (prop in props) {
     value = props[prop];
 
-    if (allowed.indexOf(prop) === -1) {
+    if (
+      allowed.indexOf(prop) === -1 &&
+      !(data(prop) && allowed.indexOf('data*') !== -1)
+    ) {
       continue;
     }
 
@@ -360,3 +363,8 @@ function handleValue(schema, value) {
 function allow(schema, value) {
   return value;
 }
+
+/* Check if `prop` is a data property. */
+function data(prop) {
+  return prop.length > 4 && prop.slice(0, 4).toLowerCase() === 'data';
+}

package.json

@@ -24,6 +24,7 @@
   },
   "devDependencies": {
     "browserify": "^13.0.1",
+    "deepmerge": "^0.2.10",
     "esmangle": "^1.0.1",
     "hast-util-to-html": "^2.1.0",
     "hastscript": "^3.0.0",
@@ -56,7 +57,10 @@
       "no-negated-condition": "off",
       "guard-for-in": "off",
       "no-eq-null": "off",
-      "eqeqeq": [2, "allow-null"],
+      "eqeqeq": [
+        2,
+        "allow-null"
+      ],
       "max-lines": "off"
     },
     "ignores": [

readme.md

@@ -111,6 +111,9 @@ Map of tag-names to allowed attributes (`Object.<Array.<string>>`).
 
 The special `'*'` key sets attributes allowed on all elements.
 
+One special value, namely `'data*'`, can be used to allow all `data`
+properties.
+
 ```js
 "attributes": {
   "a": [

test.js

@@ -13,6 +13,8 @@ var test = require('tape');
 var html = require('hast-util-to-html');
 var h = require('hastscript');
 var u = require('unist-builder');
+var merge = require('deepmerge');
+var gh = require('./lib/github');
 var sanitize = require('./index.js');
 
 /* eslint-disable no-script-url, max-params */
@@ -257,6 +259,27 @@ test('sanitize()', function (t) {
       'should ignore mismatched specific properties'
     );
 
+    st.deepEqual(
+      sanitize(h('div', {dataFoo: 'bar'})),
+      h('div'),
+      'should ignore unspecified properties'
+    );
+
+    st.deepEqual(
+      sanitize(h('div', {dataFoo: 'bar'})),
+      h('div'),
+      'should ignore unspecified properties'
+    );
+
+    st.deepEqual(
+      sanitize(
+        h('div', {dataFoo: 'bar'}),
+        merge(gh, {attributes: {'*': ['data*']}})
+      ),
+      h('div', {dataFoo: 'bar'}),
+      'should allow `data*`'
+    );
+
     st.deepEqual(
       sanitize(h('img', {alt: 'hello'})),
       h('img', {alt: 'hello'}),