Markdown: API for configuring HTML sanitization #9799
Description
Describe your motivation
The Markdown component uses the DOMPurify library to XSS-sanitize rendered HTML. By default, DOMPurify may be unnecessarily strict and strip away things that would needed and, when used correctly, not actually constitute a XSS risk.
As an example, the target="_blank" attribute on links get stripped (forum thread) (DOMPurify issue), which is probably a good default, but this seems unnecessary if rel="noopner" is also used.
This specific issue can be worked around by adding the { ADD_ATTR: ['target'] } config option to DOMPurify, but the Markdown component doesn't provide an API for adding config options to the sanitizer.
Describe the solution you'd like
Add an API for providing config option for the sanitizer.
Describe alternatives you've considered
Quicker alternatives that could be considered instead:
- Add an API for disabling sanitization entirely, at your own risk
- To solve the specific issue mentioned in the forum thread, add the above mentioned config option by default
Additional context
No response