Expose allowed style properties via extensions#1002
Conversation
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This PR extends Lexxy’s sanitization pipeline so extensions can opt into additional allowed CSS properties (beyond the default color and background-color) while also refactoring DOMPurify configuration/hook setup to avoid import-time side effects.
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Changes:
- Add an
allowedStylesextension hook and aggregate allowed styles across enabled extensions. - Refactor
buildConfigto return{ config, hooks }, and re-register DOMPurify hooks on eachsetSanitizerConfigcall. - Add unit coverage for default style filtering, opt-in properties, rebuild/reset behavior, and element hook behavior.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| test/javascript/unit/config/dom_purify.test.js | Adds unit tests for style allowlisting and hook behavior. |
| src/helpers/sanitization_helper.js | Rebuilds DOMPurify config + hooks per call and resets existing hooks/config. |
| src/extensions/lexxy_extension.js | Introduces allowedStyles getter on the extension base class. |
| src/elements/editor.js | Passes aggregated allowedStyles into sanitizer setup during editor initialization. |
| src/editor/extensions.js | Aggregates allowed styles from enabled extensions. |
| src/config/dom_purify.js | Makes sanitizer config building pure and adds style-filter hook factory driven by allowed style properties. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Extensions can now contribute CSS properties through an `allowedStyles` getter, mirroring how `allowedElements` contributes tags/attributes. The default allowlist is `color` and `background-color`; host apps that need `text-align` or other properties opt in per-extension.
lluzak
force-pushed
the
upstream-expose-allowed-style-properties
branch
from
61c5064 to
61cbe04
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
buildConfig is now pure: it returns { config, hooks } where the style
filter closes over the allowed style properties for that call.
setSanitizerConfig removes previous hooks and registers the fresh ones
before applying the DOMPurify config.
This removes the module-level `let allowedStyleProperties` and the
top-level addHook side effects from dom_purify.js.
lluzak
force-pushed
the
upstream-expose-allowed-style-properties
branch
from
1f950e5 to
c73c1e6
Compare
Summary
allowedStylesgetter, mirroring howallowedElementscontributes tags/attributes.colorandbackground-color. Anything beyond that (e.g.text-align,font-weight) is opt-in per-extension.buildConfigbecomes a pure function returning{ config, hooks }.sanitization_helperremoves previous hooks and registers the fresh ones before applying the DOMPurify config — no more module-level mutable state or import-timeaddHookside effects.Motivation
Host apps embedding Lexxy sometimes need additional style properties sanitized through (e.g. text alignment, custom typography) without forking the editor or exposing the full
styleattribute. This mirrors the existingallowedElementsextension hook so the same pattern works for both tags/attributes and styles.Usage
Test plan