Hi! Thanks for the amazing work, I was searching for this since a long time!
I had a need related to the markdown editor and I thought it would be nice to propose it as a possible feature.
Problem
leaf_editor had no way to restrict which content types a user could insert or which editing modes were accessible. In contexts where rich content is not appropriate (e.g. I was working on a simple public user profile) there was no option to prevent users from embedding links, images, video, or switching to HTML/markdown editing mode. Any HTML produced by the editor also had no server-side content filtering, creating a gap between what the UI allowed and what could be stored.
Proposal
Introduce a deny assign (a list of atoms for now) that opts out of specific capabilities:
:links: hides the link toolbar button, blocks Ctrl/Cmd+K shortcut, strips tags from pasted HTML and from all :leaf_changed payloads:images: hides image controls, strips ![]()
tags from paste and output:video: hides the insert-video button:markdown_mode: hides and disables the Markdown tab:html_mode: hides and disables the HTML tab
Restrictions are enforced at both layers: server-side (sanitization applied before every :leaf_changed notification and on set_content) and client-side (toolbar visibility, keyboard shortcut guards, paste-time DOM stripping). The server layer is the security boundary; the client layer is UX only.
Security note
This change narrows the attack surface for stored-XSS when the editor is used in contexts where link/image embedding is undesirable. It does not replace a full allowlist HTML sanitizer at the domain/persistence layer, which is still recommended before storing or rendering html payloads outside the editor.
PR
I'm opening a draft PR with the implementation of this proposal in case it may be of interest 🙏 of course, open to discuss any other view of this feature!
Hi! Thanks for the amazing work, I was searching for this since a long time!
I had a need related to the markdown editor and I thought it would be nice to propose it as a possible feature.
Problem
leaf_editorhad no way to restrict which content types a user could insert or which editing modes were accessible. In contexts where rich content is not appropriate (e.g. I was working on a simple public user profile) there was no option to prevent users from embedding links, images, video, or switching to HTML/markdown editing mode. Any HTML produced by the editor also had no server-side content filtering, creating a gap between what the UI allowed and what could be stored.Proposal
Introduce a deny assign (a list of atoms for now) that opts out of specific capabilities:
:links: hides the link toolbar button, blocks Ctrl/Cmd+K shortcut, strips tags from pasted HTML and from all:leaf_changedpayloads:images: hides image controls, strips:video: hides the insert-video button:markdown_mode: hides and disables the Markdown tab:html_mode: hides and disables the HTML tabRestrictions are enforced at both layers: server-side (sanitization applied before every
:leaf_changednotification and onset_content) and client-side (toolbar visibility, keyboard shortcut guards, paste-time DOM stripping). The server layer is the security boundary; the client layer is UX only.Security note
This change narrows the attack surface for stored-XSS when the editor is used in contexts where link/image embedding is undesirable. It does not replace a full allowlist HTML sanitizer at the domain/persistence layer, which is still recommended before storing or rendering html payloads outside the editor.
PR
I'm opening a draft PR with the implementation of this proposal in case it may be of interest 🙏 of course, open to discuss any other view of this feature!