Skip to content
Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github
aggregate
docs Release candidate 20190325.1 Mar 25, 2019
empiricism Bumped dev version Mar 25, 2019
html-types Bumped dev version Mar 25, 2019
parent Bumped dev version Mar 25, 2019
scripts remove single digit major version assumption Mar 20, 2019
src test previously untested global policy merging code in PolicyFactory Mar 25, 2019
.gitignore ignore Eclipse auto-generated files Aug 24, 2015
.travis.yml use mvn install in script/build_for_travis.sh instead of using the Tr… Mar 20, 2019
COPYING cross-license under New BSD and Apache 2 licenses Jun 18, 2014
README.md Release candidate 20190325.1 Mar 25, 2019
RELEASE-checklist.sh run dependency audit pre-release and in CI Mar 20, 2019
change_log.md Release candidate 20190325.1 Mar 25, 2019
pom.xml Bumped dev version Mar 25, 2019

README.md

OWASP Java HTML Sanitizer Coverage Status

A fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.

The existing dependencies are on guava and JSR 305. The other jars are only needed by the test suite. The JSR 305 dependency is a compile-only dependency, only needed for annotations.

This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review.


Getting Started includes instructions on how to get started with or without Maven.

You can use prepackaged policies:

PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
String safeHTML = policy.sanitize(untrustedHTML);

or the tests show how to configure your own policy:

PolicyFactory policy = new HtmlPolicyBuilder()
    .allowElements("a")
    .allowUrlProtocols("https")
    .allowAttributes("href").onElements("a")
    .requireRelNofollowOnLinks()
    .toFactory();
String safeHTML = policy.sanitize(untrustedHTML);

or you can write custom policies to do things like changing h1s to divs with a certain class:

PolicyFactory policy = new HtmlPolicyBuilder()
    .allowElements("p")
    .allowElements(
        new ElementPolicy() {
          public String apply(String elementName, List<String> attrs) {
            attrs.add("class");
            attrs.add("header-" + elementName);
            return "div";
          }
        }, "h1", "h2", "h3", "h4", "h5", "h6")
    .toFactory();
String safeHTML = policy.sanitize(untrustedHTML);

Please note that the elements "a", "font", "img", "input" and "span" need to be explicitly whitelisted using the allowWithoutAttributes() method if you want them to be allowed through the filter when these elements do not include any attributes.


Subscribe to the mailing list to be notified of known Vulnerabilities. If you wish to report a vulnerability, please see AttackReviewGroundRules.


Thanks to everyone who has helped with criticism and code

You can’t perform that action at this time.