Can't allow <picture> and <source>

[felixfbecker]

I'm trying to allow the <picture> and <source> elements in a UGCPolicy using this code:

p = bluemonday.UGCPolicy()
p.AllowElements("picture", "source")
p.AllowAttrs("srcset", "src", "type", "media").OnElements("source")
p.Sanitize("<picture><source src=\"b.jpg\" media=\"(prefers-color-scheme: dark)\"></source><img src=\"a.jpg\"></picture>")

But no matter what I do, it seems <picture> element is always stripped in the output:

<source src="b.jpg"></source><img src="a.jpg">

The use case for this is allowing to provide alternative versions of an image – different resolutions or different dark/light theme version. GitHub supports this for example in their Markdown: https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#specifying-the-theme-an-image-is-shown-to

Am I doing something wrong?

[buro9]

Thanks for reporting.

The picture element is one of the HTML elements that is permitted even when there are no attributes. However this was not on the allowlist for that, so I've updated that. If you run the latest version it should now work for you.