data: protocol in img tag src attribute not allowed for basicWithImages by default

[RaphiD]

Hi, why is the data protocol not allowed by default if I use the basicWithImages safe list to clean HTML content?

Javadoc:
This safelist allows the same text tags as {@link #basic}, and also allows img tags, with appropriate attributes, with src pointing to http or https.

[ecki]

Specifically, we wonder if there is an additional risk involved (like the can contain js and is miss-interpreted by (older) browsers or src=data: might be somehow re-used for <script>. Asuming JSoup gets that right, is it safe to allow it - or would you conider adding it to basic protocols? (I mean data: sounds less dangerous as any untrusted remote url, right?)

[MasterChiefNemo]

Would I be correct in saying the safelist is used to sanitize data being parsed by JSoup?

[ecki]

What do you mean? The safelist which allows image tags does not allow them if they are inline. The question is why

[jhy]

I think it would be a fine thing to add support for. We would need to review and see what kind (if any) validation needs to occur on the data (like e.g. checking they are all in the expected character range, etc).

I would like to add a new set of default safelists that we can extend over time. I am reluctant to make changes to the existing default safelists. They can be named like HTML5, based on the concept that HTML5 itself is evolving.

See also #1297 which is related.