Remove attribute sanitization from DOMPurify configuration
Proposal
This issue is a follow-up to gitlab-ui!2295 (merged).
- Remove sanitization of
data-*
attributes implemented in !65301 (merged) - Add forbidden
data-*
attributes in DOMPurify config.
Why
Due to a bug in DOMPurify, we had to implement potentially dangerous data-*
attribute sanitization using hooks. These checks can be removed now as they are no longer needed.
Implementation
-
Remove sanitizeHTMLAttributes
and it's definition -
Add FORBID_ATTR
todefaultConfig
-
See if we can reuse forbiddenDataAttrs
Edited by Dheeraj Joshi