ActivityPub/Primer/HTML

From W3C Wiki

Two properties of ActivityPub objects can contain HTML - summary and content. This primer page gives some guidance on the best practices for these properties for different ActivityPub data types.

summary

The summary property is usually a few sentences at maximum, so it can fit inside a typical HTML <p> element. A minimum set of elements that a summary property should support are:

  • <p>
  • <span>
  • <a> (href, rel)
  • <del>
  • <code>
  • <pre>
  • <em>
  • <strong>
  • <b>
  • <i>
  • <u>

The summary is also used for a fallback representation when the name property is unavailable, per section 4.1.1 of AS2 core, in which case no HTML should be included. In some implementations, summary has been used for non-normative purposes, such as content warnings, which may not support HTML content at all or result in different display than that which is intended by the publisher.

URLs in the href property should not include unsafe URL schemes. The following URL schemes are considered unsafe and should not be used by ActivityPub implementations, due to the risk of cross-site scripting attacks and related issues.

  • javascript:
  • data:

These are some of the common known good URL schemes:

  • https:
  • mailto:
  • tel:

Guidance for publishers

  • Don't use HTML in the summary property when there is no name property.
  • Keep the content of the summary property short, about 1 paragraph or less.
  • Only use the <p> element for a single paragraph wrapping the entire summary. Don't include multiple paragraphs.
  • Avoid using additional elements.
  • Don't use JavaScript.
  • Don't use CSS.
  • Avoid using URL schemes that aren't in the known good schemes list above.

Guidance for consumers

  • The recommendations here are for current social network applications of ActivityPub. Future usage may include summaries that are much longer than a single paragraph, so consumers should be aware of and ready to process longer summaries.
  • Use an HTML sanitizer to remove elements that aren't on the above list.
  • Use an HTML sanitizer to remove unwanted attributes, especially ones that relate to CSS or JavaScript, like onclick or class or potentially even data-* attributes, if your client code makes use of these properties to trigger JavaScript functionality.
  • Sanitize URLs to remove schemes that are known to be unsafe: data: and javascript:.
 * Consider removing <a> elements that have unsafe URL schemes in the href attribute.

content

Note

* <p>
* <span> (class)
* <br>
* <a> (href, rel, class)
* <del>
* <pre>
* <code>
* <em>
* <strong>
* <b>
* <i>
* <u>
* <ul>
* <ol> (start, reversed)
* <li> (value)
* <blockquote>

Guidance for publishers

Guidance for consumers

Article

* <p>
* <span> (class)
* <br>
* <a> (href, rel, class)
* <del>
* <pre>
* <code>
* <em>
* <strong>
* <b>
* <i>
* <u>
* <h1> through to <h6>
* <ul>
* <ol> (start, reversed)
* <li> (value)
* <blockquote>

Guidance for publishers

Guidance for consumers

Other types

Other processing guidance

Relays

Retrieved from "https://www.w3.org/wiki/index.php?title=ActivityPub/Primer/HTML&oldid=116919"