Hacker News new | ask | show | jobs
by buro9 3567 days ago
Exactly.

Whitelist only trusted schemes, do not wait to blacklist untrusted.

I wrote the Go HTML sanitizer: https://github.com/microcosm-cc/bluemonday and have a rule for user generated (untrusted) content that basically does whitelist just the things that one can trust: https://github.com/microcosm-cc/bluemonday/blob/master/helpe...

That states that URIs must be:

1. Parseable

2. Relative

3. Or one of: mailto http https

4. And that I will add rel="nofollow" to external links, and additionally I'll add "rel="noopener" if the link has a target="_blank" attribute

Oh, and I do not trust Data URIs either.
1 comments
stirner 3567 days ago
Might want to add tel to the whitelist. It works in roughly the same way as mailto but interfaces with telephone apps instead of email clients.
link
buro9 3567 days ago
This is the default user-generated policy, others are able to tweak and adjust using policy rules, i.e:

    p.AllowURLSchemes("tel")
I chose conservative and safe defaults, not everyone wishes to whitelist telephone links.
link