Make allowed HTML attributes configurable#925
Open
adam-h wants to merge 1 commit intobasecamp:mainfrom
Open
Conversation
Add an `additionalAllowedAttributes` option that lets apps specify extra HTML attributes to preserve through both DOMPurify (client) and Action Text sanitization (server). Rails apps configure this in one place via `config.lexxy.additional_allowed_attributes`. The gem emits the setting onto each rendered `<lexxy-editor>` element so a separate JS `Lexxy.configure` call is not needed. Non-Rails apps can use the editor preset or element attribute directly. This is a follow-on to basecamp#713 making the solution generic rather than specific to list 'start' attributes.
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a single, shared configuration point for preserving extra HTML attributes through Lexxy’s client-side DOMPurify sanitization and Rails Action Text server-side sanitization, with Rails automatically emitting the setting onto each rendered <lexxy-editor> element.
Changes:
- Add
additionalAllowedAttributesto the editor config/preset and thread it into DOMPurify config generation during HTML serialization. - Add Rails config
config.lexxy.additional_allowed_attributes, apply it to Action Text sanitization, and emit it onto rendered editor elements asadditional-allowed-attributes. - Add browser + Rails system test coverage and document the new option.
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| test/test_helpers/lexxy_configuration_helper.rb | Adds a helper to temporarily override Lexxy/Rails config and reconfigure the Action Text sanitizer in tests. |
| test/test_helper.rb | Includes the new configuration helper in the shared test base class. |
| test/system/action_text_load_test.rb | Adds a system test ensuring configured attributes survive an Action Text save/edit round trip. |
| test/browser/tests/editor/load_html.test.js | Adds a Playwright test verifying attribute preservation is configurable on the client. |
| test/browser/fixtures/allowed-html-attributes.html | Adds a fixture page that sets additional-allowed-attributes on the editor element. |
| src/helpers/sanitization_helper.js | Passes optional config through to DOMPurify config generation. |
| src/elements/editor.js | Supplies additionalAllowedAttributes from editor configuration when serializing editor HTML. |
| src/config/lexxy.js | Adds additionalAllowedAttributes to the default preset so it can be set via presets/attributes. |
| src/config/dom_purify.js | Makes the allowed-attribute list additive and configurable via additionalAllowedAttributes. |
| lib/lexxy/rich_text_area_tag.rb | Emits additional-allowed-attributes onto <lexxy-editor> based on Rails config. |
| lib/lexxy/engine.rb | Adds default Rails config value and centralizes Action Text sanitizer setup via Lexxy.configure_action_text_sanitizer!. |
| lib/lexxy.rb | Introduces helper methods/constants to configure Action Text allowed tags/attributes + Loofah CSS functions, including additional attributes. |
| docs/configuration.md | Documents additionalAllowedAttributes and the Rails config.lexxy.additional_allowed_attributes integration. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add an
additionalAllowedAttributesoption that lets apps specify extra HTML attributes to preserve through both DOMPurify (client) and Action Text sanitization (server).Rails apps configure this in one place via
config.lexxy.additional_allowed_attributes. The gem emits the setting onto each rendered<lexxy-editor>element so a separate JSLexxy.configurecall is not needed. Non-Rails apps can use the editor preset or element attribute directly.This is a follow-on to #713 making the solution generic rather than specific to list 'start' attributes.