Home > trust_html

trust_html

Trust_html is a project mainly written in JAVASCRIPT and RUBY, based on the MIT license.

Make third-party HTML trustworthy for rendering within your web app via Google HTML sanitizers. This is _not_ about stripping HTML but rather about cleaning it of javascript (onclicks, etc.) as well as CSS.

Download

= trust_html

== Usage Pass HTML to: TrustHtml.sanitize("<div onclick=\"alert('hi';)\">Hello world

<img src=\"javascript:alert('xss');\"/><body background=\"javascript:alert('xss')\">") => "
Hello world
"

== Configuration So far you can only customize the methods for processing URL's and DOM ID's that are in the HTML provided. These methods are in JS and are passed local variables 'url' and 'id' respectively for you to decide whether to allow/rewrite/deny the value.

  • TrustHtml::Sanitizer::URL_SANITIZER_METHOD_BODY
  • TrustHtml::Sanitizer::ID_SANITIZER_METHOD_BODY

You can also customize further (rewrite attributes, more complex rules, change whitelists, etc) by customizing html-sanitizer.js and html4-defs.js. If modified you will need to set the following:

  • TrustHtml::Sanitizer::HTML_SANITIZER_PATH
  • TrustHtml::Sanitizer::HTML_DEFS_PATH

== Copyright

Copyright (c) 2011 Cary Dunn. See LICENSE.txt for further details.

Previous:CSB-life

©2024 OSPHUB.COM