Pass HTML to: TrustHtml.sanitize(“<div onclick="alert(‘hi’;)">Hello world</div><img src="javascript:alert(‘xss’);"/><SCRIPT>alert("xss");</SCRIPT><body background="javascript:alert(‘xss’)">”)
=> "<div>Hello world</div><img>"
So far you can only customize the methods for processing URL’s and DOM ID’s that are in the HTML provided. These methods are in JS and are passed local variables ‘url’ and ‘id’ respectively for you to decide whether to allow/rewrite/deny the value.
-
TrustHtml::Sanitizer::URL_SANITIZER_METHOD_BODY
-
TrustHtml::Sanitizer::ID_SANITIZER_METHOD_BODY
You can also customize further (rewrite attributes, more complex rules, change whitelists, etc) by customizing html-sanitizer.js and html4-defs.js. If modified you will need to set the following:
-
TrustHtml::Sanitizer::HTML_SANITIZER_PATH
-
TrustHtml::Sanitizer::HTML_DEFS_PATH
Copyright © 2011 Cary Dunn. See LICENSE.txt for further details.