[WEB-4806] chore: updated html attribute validation

[NarayanBavisetti]

Description

updated the html tags and attribute validation for the content.

Type of Change

• Improvement (change that would cause existing functionality to not work as expected)

Summary by CodeRabbit

• New Features
  • Improved rich-text support: image-component/img, mention-component, tables (th/td/tr), code/pre, and form elements (input/label).
  • Accepts additional data-* and style-related attributes for better formatting control.
• Bug Fixes
  • Reduces unintended stripping of valid content and attributes.
  • Supports attribute synonyms (e.g., aspectRatio/aspectratio, textColor/textcolor, hideContent/hidecontent) for better compatibility.
  • More consistent rendering of tables, code blocks, images, and mentions after sanitization.
• Refactor
  • Updated sanitization rules to align with the latest editor tag naming and attribute conventions.

[coderabbitai]

Walkthrough

Revises HTML sanitization in apps/api/plane/utils/content_validator.py by redefining CUSTOM_TAGS and ATTRIBUTES to align with new editor tag names and attributes. Updates allowed tags/attributes (e.g., image-component, img, mention-component, th/td/tr, pre/code/input) and data-* handling, affecting nh3.clean behavior without changing public function signatures.

Changes

Cohort / File(s)	Summary
Sanitizer schema update apps/api/plane/utils/content_validator.py	Replaced legacy editor tags with normalized tags; overhauled ATTRIBUTES including wildcard and per-tag sets; added/renamed attributes (e.g., aspectRatio/aspectratio, textColor/textcolor, hideContent/hidecontent), added data-* handling (e.g., data-name), introduced native table/code/input attributes; validate_html_content behavior changes via nh3.clean configuration.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Caller
  participant V as validate_html_content
  participant N as nh3.clean

  C->>V: HTML input
  V->>N: clean(html, CUSTOM_TAGS, ATTRIBUTES, ...)
  Note over N: Applies updated tag/attribute\nallow-lists (e.g., image-component,\nimg, mention-component, th/td/tr,\npre/code/input, data-* keys)
  N-->>V: Sanitized HTML
  V-->>C: Return sanitized HTML

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• [WEB-4806] chore: improved the html validation #7676 — Also modifies CUSTOM_TAGS and ATTRIBUTES in the same sanitizer module, directly related schema evolution.

Suggested labels

requires approval

Suggested reviewers

• pablohashescobar
• dheeru0198
• sriramveeraghanta

Poem

Hops in the markup meadow I go,
Trimming tags in a tidy row.
img and pre, th/td in line—
data-* carrots looking fine.
With sanitized paws I gently preen,
The cleanest content you’ve ever seen. 🥕✨

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore-html-attributes-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[makeplane]

Pull Request Linked with Plane Work Items

• [WEB-4806] HTML validation with safe tags

Comment Automatically Generated by Plane

[Copilot]

Pull Request Overview

This PR updates HTML tag and attribute validation for content processing by modernizing the allowed tags and their attributes to align with current HTML standards.

• Replaces custom editor-specific tag names with standard HTML equivalents
• Updates attribute validation to include both camelCase and lowercase variants for compatibility
• Adds support for new HTML elements like input and label tags

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

apps/api/plane/utils/content_validator.py (2)

79-106: Allowing style without CSS filtering is unsafe; wire up nh3.filter_style_properties and narrow scope.

Right now any inline styles pass through. Configure allowed CSS properties and (ideally) drop style from the global "*" set to reduce attack surface. nh3 exposes filter_style_properties for this purpose. (nh3.readthedocs.io)

Apply:

     "*": {
       "class",
       "id",
       "title",
       "role",
       "aria-label",
       "aria-hidden",
-      "style",
+      # avoid allowing style globally; allow per-tag and filter it below
       # common editor data-* attributes seen in stored HTML

Define allowed CSS properties (place near SAFE_PROTOCOLS):

# CSS properties allowed in inline style attributes (conservative)
ALLOWED_CSS_PROPERTIES = {
    "color", "background-color", "text-align", "vertical-align",
    "font-weight", "font-style", "text-decoration", "white-space",
    "border", "border-color", "border-style", "border-width",
    "border-collapse", "border-spacing", "border-radius",
    "padding", "padding-left", "padding-right", "padding-top", "padding-bottom",
    "margin", "margin-left", "margin-right", "margin-top", "margin-bottom",
    "width", "height", "max-width", "max-height"
}

And pass it to nh3.clean (see comment on Lines 218-224 for diff).
Also: the comment about “dynamically include all data-* seen in the input” is outdated; if you want that behavior, pass generic_attribute_prefixes={"data-"} (see below). (nh3.readthedocs.io)

---

218-224: Harden nh3.clean: add CSS filtering, explicit link_rel, and generic data- allowance.*

This makes style safe, ensures rel is set consistently, and aligns behavior with the comment about data-* keys. (nh3.readthedocs.io)

Apply:

         clean_html = nh3.clean(
             html_content,
             tags=ALLOWED_TAGS,
             attributes=ATTRIBUTES,
-            url_schemes=SAFE_PROTOCOLS,
+            url_schemes=SAFE_PROTOCOLS,
+            link_rel="noopener noreferrer nofollow ugc",
+            filter_style_properties=ALLOWED_CSS_PROPERTIES,
+            generic_attribute_prefixes={"data-"},
         )

🧹 Nitpick comments (1)

apps/api/plane/utils/content_validator.py (1)

128-151: Optionally canonicalize mixed-case attributes (aspectRatio/textColor/hideContent).

To avoid duplicating both cases in allowlists, normalize via attribute_filter. (nh3.readthedocs.io)

Example:

def _attr_filter(tag: str, attr: str, val: str):
    mapping = {
        "aspectratio": {"aspectratio", "aspectRatio"},
        "textcolor": {"textcolor", "textColor"},
        "hidecontent": {"hidecontent", "hideContent"},
    }
    lower = attr.lower()
    for canon, variants in mapping.items():
        if attr in variants or lower in variants:
            return canon, val
    return attr, val

Wire it: nh3.clean(..., attribute_filter=lambda t,a,v: (_attr_filter(t,a,v)[1] if False else v)) # or adapt to your preferred signature wrapper.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9965fc7 and 166d8b4.

📒 Files selected for processing (1)

• apps/api/plane/utils/content_validator.py (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript)

🔇 Additional comments (2)

apps/api/plane/utils/content_validator.py (2)

70-73: LGTM on tag normalization.

Allowing mention-component, label, input, and image-component aligns with the new editor model. No issues spotted here.

---

118-127: SAFE_PROTOCOLS excluding data URIs is acceptable
No <img src="data:…"> or toDataURL() usages in editor-sanitized content—only static CSS data-URIs and API-returned favicon_base64. Leave SAFE_PROTOCOLS unchanged; add data to url_schemes or pre-convert images only if inline base64 uploads are ever required.