Project

trust_html

0.0
Repository is archived
No commit activity in last 3 years
No release in over 3 years
Make HTML trustworthy for rendering within your web app via Google HTML sanitizers. This is _not_ about stripping HTML but rather about cleaning it of javascript (onclicks, etc.) as well as CSS.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 1.0.0
~> 1.6.4
>= 0

Runtime

>= 0
~> 0.9.3beta1
 Project Readme

trust_html¶ ↑

Usage¶ ↑

Pass HTML to: TrustHtml.sanitize(“<div onclick="alert(‘hi’;)">Hello world</div><img src="javascript:alert(‘xss’);"/><SCRIPT>alert("xss");</SCRIPT><body background="javascript:alert(‘xss’)">”)

=> "<div>Hello world</div><img>"

Configuration¶ ↑

So far you can only customize the methods for processing URL’s and DOM ID’s that are in the HTML provided. These methods are in JS and are passed local variables ‘url’ and ‘id’ respectively for you to decide whether to allow/rewrite/deny the value.

  • TrustHtml::Sanitizer::URL_SANITIZER_METHOD_BODY

  • TrustHtml::Sanitizer::ID_SANITIZER_METHOD_BODY

You can also customize further (rewrite attributes, more complex rules, change whitelists, etc) by customizing html-sanitizer.js and html4-defs.js. If modified you will need to set the following:

  • TrustHtml::Sanitizer::HTML_SANITIZER_PATH

  • TrustHtml::Sanitizer::HTML_DEFS_PATH

Copyright © 2011 Cary Dunn. See LICENSE.txt for further details.