Project

whitewash

0.0
No commit activity in last 3 years
No release in over 3 years
This module allows Ruby programs to clean up any HTML document or fragment coming from an untrusted source and to remove all dangerous constructs that could be used for cross-site scripting or request forgery.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

>= 0
>= 0

Runtime

 Project Readme

Whitewash - whitelist-based HTML filter for Ruby¶ ↑

This module allows Ruby programs to clean up any HTML document or fragment coming from an untrusted source and to remove all dangerous constructs that could be used for cross-site scripting or request forgery.

Synopsys¶ ↑

require 'whitewash'

whitewash = Whitewash.new   # use default whitelist.yaml
clean_xhtml = whitewash.sanitize(html)

Summary¶ ↑

All HTML tags, attribute names and values, and CSS properties are filtered through a whitelist that defines which names and what kinds of values are allowed, everything that doesn’t match the whitelist is removed.

The whitelist is provided externally, default whitelist is loaded from the whitelist.yaml shipped with Whitewash. The default is most strict (for example, it does not allow cross-site links to images in IMG tags) and can be considered safe for all uses. If you find that it lets anything exploitable through, please report it as a bug to Whitewash developers.

An alternative whitelist is provided for HTML5 in html5_whitelist.yaml. This whitelist is as much a work in progress as HTML5 standard itself, use at your own risk.

External Dependencies¶ ↑

Whitewash relies on Nokogiri to parse arbitrary HTML and put it back together as valid XHTML:

* http://nokogiri.org/

Copying¶ ↑

Copyright (c) 2002-2011  Dmitry Borodaenko <angdraug@debian.org>

This program is free software.
You can distribute/modify this program under the terms of the GNU
General Public License version 3 or later.