Make third-party HTML trustworthy for rendering within your web app via Google HTML sanitizers. This is _not_ about stripping HTML but rather about cleaning it of javascript (onclicks, etc.) as well as CSS.
JavaScript Ruby
Switch branches/tags
Latest commit 8eeb756 Jul 17, 2011 @cdunn cdunn remove notes
Permalink
Failed to load latest commit information.
assets
lib
test
.document
.gitignore
Gemfile
Gemfile.lock
LICENSE.txt
README.rdoc
Rakefile
VERSION
trust_html.gemspec

README.rdoc

trust_html

Usage

Pass HTML to: TrustHtml.sanitize(“<div onclick="alert('hi';)">Hello world</div><img src="javascript:alert('xss');"/><SCRIPT>alert("xss");</SCRIPT><body background="javascript:alert('xss')">”)

=> "<div>Hello world</div><img>"

Configuration

So far you can only customize the methods for processing URL's and DOM ID's that are in the HTML provided. These methods are in JS and are passed local variables 'url' and 'id' respectively for you to decide whether to allow/rewrite/deny the value.

  • TrustHtml::Sanitizer::URL_SANITIZER_METHOD_BODY

  • TrustHtml::Sanitizer::ID_SANITIZER_METHOD_BODY

You can also customize further (rewrite attributes, more complex rules, change whitelists, etc) by customizing html-sanitizer.js and html4-defs.js. If modified you will need to set the following:

  • TrustHtml::Sanitizer::HTML_SANITIZER_PATH

  • TrustHtml::Sanitizer::HTML_DEFS_PATH

Copyright

Copyright © 2011 Cary Dunn. See LICENSE.txt for further details.