It would be nice if FilterUrlByProtocolAttributePolicy was a bit more configurable

[xenomachina]

HtmlPolicyBuilder currently adds an instance of FilterUrlByProtocolAttributePolicy as a policy on a bunch of attributes. The only configuration that seems to affect it is the set of allowed protocols. It is also only inserted on attributes that already have attributes applied to them.

Currently I'm using a preprocessor to do the following:

1. Resolving URLs against a "base" URL. For example, if my base URL is "http://example.com/base", then I want <a href="/foo"> to turn into <a href="http://example.com/foo">.

2. When a URL is "unsafe" I replace it with with a safe URL (eg: ""), rather than eliminating the attribute entirely, so that <a href="evil:">click</a> would still be a link, it would just be "neutered", eg: <a href="">click</a>. To get this behavior, my preprocessor essentially needs to do the same job as FilterUrlByProtocolAttributePolicy, with this one tweak.

My preprocessor also has to duplicate HtmlPolicyBuilder.URL_ATTRIBUTE_NAMES, as it is private, and I haven't even worked out how to get it to work for URLs in styles properly yet.

Here's a straw-man proposal to make this a bit easier:

1. Add the ability to provide a "URL preprocessor" that could transform URLs before FilterUrlByProtocolAttributePolicy filters them.

2. Add the ability to provide a fallback URL that would be used in place of null. (To be safe, perhaps this URL should, itself, also be run through the filtering logic.)

[xenomachina]

As an aside: I haven't had a chance to test this yet, but I think there may be a bug in the handling of the archive attribute in FilterUrlByProtocolAttributePolicy. The HTML 4.01 Specification says it's "a space-separated list of URIs", but from the code it looks like it's treated as a single URL.

[mikesamuel]

Does the URL classifier meet your needs?

#126