Add 'tel:' to sanitizer acceptable protocols? #138
Comments
|
I just closed the relevant PR. First, someone needs to research whether Though that's conflating "valid" with "safe" a bit. I don't think this is a good thing to have as a default. Given that, I'm going to close this out. If someone can prove it's safe in all contexts, I'm game for re-opening and discussing it further. |
|
I'm pretty sure it is safe with the possible proviso of very old Android WebView, but I never sat down and figured this out. Validity is irrelevant for the sanitiser; we allow tons of invalid stuff. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Most (if not all) mobile browsers can hyperlink telephone numbers, like so:
`0123456789``
When tapped / clicked, these numbers will open in the phone's dialler. Any objections to adding 'tel' to the list of acceptable_protocols in sanitizer.py?
The text was updated successfully, but these errors were encountered: