[Feature] Allowing custom link protcols, URL black-whitelist and configuring DOMPurify configuration #2253
Description
Initial checklist
- I agree to follow the code of conduct
- I searched issues and discussions and couldn’t find anything (or linked relevant results below)
Problem
In my application, I use several custom protocols (e.g., app-action://, internal-route://) to render specialized components like interactive buttons or YouTube iframes within react-markdown.
The Problem
Currently, when attempting to insert a link with a custom protocol, DOMPurify automatically strips them out for security reasons. This prevents our custom renderers from identifying and handling these specific schemas.
I have attempted to resolve this using DOMPurify.setConfig and even tried implementing a custom plugin, but neither approach successfully bypassed the default sanitization behavior in the current setup.
Solution
allowedProtocols: An array of strings to permit custom URI schemes (such as['http', 'https', 'my-app']).domPurifyConfig: An optional object that allows users to override or extend the default DOMPurify settings (such asALLOWED_TAGS,ALLOWED_ATTR,ADD_ATTR).- URL white-blacklist: Control over which domains or patterns are allowed in Markdown links.
Alternatives
There is: using "dummy" links (such as http://internal-trigger...)
But it's suboptimal and poses a potential security risk if those domains ever become active or if the fallback logic fails. We need a native way to allow-list specific protocols or pass a custom configuration directly to the underlying sanitizer.