To conform with the security model of wysihtml5 we would like to do server-side whitelists of elements and attributes. We are considering using the Sanitize gem (https://github.com/rgrove/sanitize/). Is there a recommended whitelist that we could base our rules on?

Hi Andreas,

Good question. @jhollingworth Do we have a list of HTML entities that wysihtml5 uses?

My guess is https://github.com/jhollingworth/bootstrap-wysihtml5/blob/master/src/bootstrap-wysihtml5.js#L371 but I am not that familiar with the internal code so I may be wrong.

@Nerian that's correct, all other elements should be blacklisted. There is some more info on this topic in the wysihtml5 wiki https://github.com/xing/wysihtml5/wiki/Security

Cool, thanks for the hyper fast response @jhollingworth .

@digitalplaywright Let us know if you find any other trouble, and sorry it took one month for me to answer. I just discovered that Github doesn't send me notifications of my own projects unless I explicitly watch them.

@Nerian @jhollingworth Thanks! The link you provided should be helpful for anyone else looking into this problem.

In case it is of use to others we currently use this sanitization rule for the Ruby Sanitize gem:

      Sanitize.clean(_html_input, 
                     :elements => ['b','a', 'i', 'u', 'ul', 'ol', 'li', 'blockquote', 'div', 'h1', 'h2', 'br' ],
                     :attributes => {'a' => ['href', 'title', 'target']},
                     :protocols => {'a' => {'href' => ['http', 'https']}})

This rule does not whitelist all features of wysihtml5, like e.g images.