For the allowed attributes in html:

Would it be possible to make the rules more nuanced?
For example, the target attribute is not included by default, likely because it can be used to exploit a browsers window.opener api.
However that only applies, when the rel attribute isn't present, with the right inputs

Explanation:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#target

So it would be cool if target could be a valid attribute, when present with the correct rel attribute?

I'll take a look at implementing it, but points welcome :)

@Zeouterlimits I know it's been a while since you opened this, but can you help me understand your use case? I'm curious when you'd want to allow this specific attribute through in certain circumstances in untrusted input.

The scope of rails-html-sanitizer is for making untrusted input safe, and it's not really designed for nuanced conditional handling like you're describing. But if you tell me more about your use case, maybe I can suggest an alternative solution.

@flavorjones I have a simialar issue where I want to extend the existing SafeListSanitizer to allow links with target="_blank", but I couldn't find an easy way to do it.

@flavorjones I have a simialar issue where I want to extend the existing SafeListSanitizer to allow links with target="_blank", but I couldn't find an easy way to do it.

Came up with this:

Rails::Html::SafeListSanitizer.allowed_attributes << "target"

@dankimio I think that's fine if you want to allow that attribute everywhere in your app. An alternative is just to pass the attributes: keyword to the sanitize call in the specific places where you want to allow it.

I'm going to close this, mostly because I don't think it's within the scope of Rails::Html::Sanitizer to provide complex sanitization rules. If you want complex rules, Loofah or Sanitize are better choices. This library is intended to provide baseline safety for untrusted content, and not be a filter for all of an app's trusted content.