Legend:
Some differences may make sense given the difference in purposes for the codebase.
I added/reinstated @abbr, @bgcolor, @face, @high, @noshade, @nowrap, @radiogroup, @rev, @rules attributes, and the <datalist>
element in the Instiki Sanitizer.
Omitting them was (arguably) an oversight.
For the rest, I’d like to hear the rationale for including them.
What thought process was behind the decision that @form was an attribute that should be on the whitelist?
Ditto (though, obviously, less serious) for @hidden?
I’d also point out the alarming number of elements and attributes that aren’t in HTML5 (nor HTML4). Why are they on the whitelist?
This was the output of a quick script hastily thrown together.
Initial take:
noscript
was added to the feedparser.What is the se namespace? SVG edit perhaps? That should probably remain an instiki difference for now.
Yes, the se
prefix denotes the SVG-Edit namespace. Those attributes preserve SVG-Editability. I wouldn’t expect to see then in the other Sanitizers (though I promise that they are quite harmless).
The attribute list in feedparser and html5lib contain many attribute names which I can’t fathom a reason for.
Quite possibly, some of those are legitimate, in which case I’ll be happy to add them to Instiki.
Moving target:
The Instiki Sanitizer added <menclose>
element and the notation
attribute.