nigelm / html-scrubber Goto Github PK

It would be nice not only to clean up HTML, but also to be able to extend it. I use a sub to manipulate. It would be desirable not only to ban or manipulate attributes, but also to be able to add them (for example adding a target attribute depending on the href attribute)

If I understood the module HTML::Scrubber correctly, tags are either allowed or not allowed. This is unlike attributes where a callback may decide whether an attribute is dropped or modified.

In a webapp, that I'm working on, there is a hand rolled sanitizer which can drop a complete tag based on the existence or value of attributes. It would be nice to have such functionality in HTML::Scrubber too. This would allow me to eliminate the hand rolled sanitizer.

This is a bit related to #22.

Prior to merging #9, you were using a combination of testing plugins that made it so "authorship" tests were required for end users to run, and subsequently, the choice of plugins you had caused installation to failure if you didn't satisfy those deps.

Subsequently, in 0.17, you changed that, and authortests now ship in xt, and their dependencies are no longer necessary.

However, you still have this set of "user must install these" test dependencies, which is now just silly:

https://github.com/nigelm/html-scrubber/blob/master/dist.ini#L12-L23

Most of these are now only development deps.

The module appears to apply HTML::Entities:encode_entities to the passed HTML string but does not decode the data afterwards. This is unexpected.

Ex.
my $scrubber = HTML::Scrubber->new();
print $scrubber->scrub('2 > 1 is true');
2 &gt 1 is true

IMO if it's going to encode then it should decode when it's done.

This was also mentioned in the 0.15 CPAN rating/review: https://cpanratings.perl.org/dist/HTML-Scrubber

The synopsis has this code:

my $scrubber = HTML::Scrubber->new( allow => [ qw[ p b i u hr br ] ] );
print $scrubber->scrub('<p><b>bold</b> <em>missing</em></p>');
# output is: <p><b>bold</b> </p>

However, the output still contains the missing text contrary to the comment.

Any modules out there that will remove the tag as well as the content?

A few reviewers have asked for clearer documentation.

Hi,

Test::PAUSE::Permissions is listed in TEST_REQUIRES, but it seems it's only needed when doing a release. Could this be removed from Makefile.PL?

https://metacpan.org/source/NIGELM/HTML-Scrubber-0.17/Makefile.PL#L40

hi nigel,

$ perl -MHTML::Scrubber -e '$s=HTML::Scrubber->new(); print $s->scrub(qq[ Y U escape > & <, HTML::Scrubber? \n])'
Y U escape &gt; & &lt;, HTML::Scrubber?

this behavior caused me trouble. people often use > for quoting in, e.g., email.

i am not the only one who's had this issue:
https://rt.cpan.org/Public/Bug/Display.html?id=69947

it's debatable whether this behavior is "correct" : HTML::Scrubber is used to remove HTML tags of various kinds -- but here it's escaping an entity that, although it might confuse some parser, is not part of any HTML. there appears no option to turn off this behavior.

the guilty lines appear to be 440-441:
$text =~ s/</&lt;/g; #https://rt.cpan.org/Ticket/Attachment/8716/10332/scrubber.patch
$text =~ s/>/&gt;/g;

The comment suggests this behavior was added to address some issue.

In the changelog for HTML::Scrubber, there is the following:
0.03 Mon Jul 21 07:32:10 2003
- closed http://rt.cpan.org/NoAuth/Bug.html?id=2969
now escape spurious >< in text

I searched for the relevant RT ticket to understand why this change was made, but couldn't find it. It's not 8716, 10332, or 2969.

good luck.

michael