ActivityPub/Primer/HTML
Two properties of ActivityPub objects can contain HTML - summary
and content
. This primer page gives some guidance on the best practices for these properties for different ActivityPub data types.
summary
The summary
property is usually a few sentences at maximum, so it can fit inside a typical HTML <p> element. A minimum set of elements that a summary
property should support are:
- <p>
- <span>
- <a> (href, rel)
- <del>
- <code>
- <pre>
- <em>
- <strong>
- <b>
- <i>
- <u>
The summary is also used for a fallback representation when the name
property is unavailable, per section 4.1.1 of AS2 core, in which case no HTML should be included. In some implementations, summary
has been used for non-normative purposes, such as content warnings, which may not support HTML content at all or result in different display than that which is intended by the publisher.
URLs in the href
property should not include unsafe URL schemes. The following URL schemes are considered unsafe and should not be used by ActivityPub implementations, due to the risk of cross-site scripting attacks and related issues.
javascript:
data:
These are some of the common known good URL schemes:
https:
mailto:
tel:
Guidance for publishers
- Don't use HTML in the summary property when there is no name property.
- Keep the content of the summary property short, about 1 paragraph or less.
- Only use the <p> element for a single paragraph wrapping the entire summary. Don't include multiple paragraphs.
- Avoid using additional elements.
- Don't use JavaScript.
- Don't use CSS.
- Avoid using URL schemes that aren't in the known good schemes list above.
Guidance for consumers
- The recommendations here are for current social network applications of ActivityPub. Future usage may include summaries that are much longer than a single paragraph, so consumers should be aware of and ready to process longer summaries.
- Use an HTML sanitizer to remove elements that aren't on the above list.
- Use an HTML sanitizer to remove unwanted attributes, especially ones that relate to CSS or JavaScript, like
onclick
orclass
or potentially evendata-*
attributes, if your client code makes use of these properties to trigger JavaScript functionality. - Sanitize URLs to remove schemes that are known to be unsafe:
data:
andjavascript:
.
* Consider removing <a> elements that have unsafe URL schemes in the href
attribute.
content
Note
* <p> * <span> (class) * <br> * <a> (href, rel, class) * <del> * <pre> * <code> * <em> * <strong> * <b> * <i> * <u> * <ul> * <ol> (start, reversed) * <li> (value) * <blockquote>
Guidance for publishers
Guidance for consumers
Article
* <p> * <span> (class) * <br> * <a> (href, rel, class) * <del> * <pre> * <code> * <em> * <strong> * <b> * <i> * <u> * <h1> through to <h6> * <ul> * <ol> (start, reversed) * <li> (value) * <blockquote>