Watcher “watcher.actions.email.html.sanitization” table attributes

santhosh · May 25, 2016, 4:56pm

I construct email alerts in elasticsearch watcher using HTML and I have also configured to sanitize following html tags in elasticsearch.yml

watcher.actions.email.html.sanitization:
  allow: _tables, _blocks, _formatting, _links, _styles

But in my alerts, I see the table is constructed but the table attributes were not considered while constructing the table. For example, the border, cellpadding and colspan were never applied on my table. Table example given below

<table border='1' cellpadding='5' style='font-family:sans-serif;font-size:13px'><thead><tr><th>Type</th><th colspan='5'>Version</th></tr></thead><tbody> etc.

I can still achieve it by completely disabling the HTML sanitization like below, but it was not recommended as it involved security risks.

watcher.actions.email.html.sanitization.enabled: false

I have even tried to use allow: _tables:all, but it didn't work and it doesn't seem to be the right thing.

Is there a way to achieve it by enabling only few tags along with it's attributes?

spinscale · May 26, 2016, 7:45am

Hey,

right now border and cellpadding attributes are always dropped. You can get the style attribute working by allowing _styles in the sanitizer config.

Will check if it makes sense to open up more attributes here.

--Alex

santhosh · May 26, 2016, 2:13pm

Yes, the style attribute works. Is colspan attribute too dropped for table?

Is there any documentation that says what attributes are considered and what not for HTML tags?

spinscale · May 26, 2016, 2:53pm

Hey,

right now colspan is dropped. I allowed it manually for the next release (together with rowspan and border for td/tr), however we will come up with a more generic solution in the future, so you can configure this yourself.

Our current idea is to allow the user to configure the tags and the allowed attributes for such a tag like a:href|class|id or a:_all - would that make sense and work for you?

--Alex

santhosh · May 26, 2016, 3:09pm

Yeah sure. It does make sense. Thanks for opening up more options.

santhosh · May 26, 2016, 6:43pm

And also it would be helpful for new users if the documentation is updated saying which attributes are dropped for which tags.

santhosh · June 2, 2016, 2:03pm

@spinscale Looks like <th> of <table> also won't render in watch alerts. Is this too dropped?

spinscale · June 6, 2016, 9:35am

Hey,

th is supported. Can you provide an example, what is not working?

--Alex