html-stripping-examples

From Microformats Wiki
Revision as of 13:37, 15 September 2013 by TomMorris (talk | contribs) (adding AntiSamy Project)
Jump to navigation Jump to search

This page documents existing library code that strips elements and attributes from HTML for "safe" display of HTML (e.g. for embedding).

jsoup (Java)

Details

  • none – "This whitelist allows only text nodes: all HTML will be stripped."
  • simpleText – "This whitelist allows only simple text formatting: b, em, i, strong, u"
  • basic – "This whitelist allows a fuller range of text nodes: a, b, blockquote, br, cite, code, dd, dl, dt, em, i, li, ol, p, pre, q, small, strike, strong, sub, sup, u, ul, and appropriate attributes."
  • relaxed – "This whitelist allows a full range of text and structural body HTML: a, b, blockquote, br, caption, cite, code, col, colgroup, dd, dl, dt, em, h1, h2, h3, h4, h5, h6, i, img, li, ol, p, pre, q, small, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, u, ul"

Problems: doesn't support new elements defined in HTML5.

AntiSamy Project (Java, .NET)

Homepage, Download page on Google Code

Different profiles can be defined in an XML file. The distribution contains the following sample profiles:

  • "Anything goes" (XML): "If you wanted to allow every single valid HTML and CSS element (but without JavaScript or blatant CSS-related phishing attacks), you can use this policy file."
  • "MySpace" (XML): "Users are allowed to submit pretty much all HTML and CSS they want - as long as it doesn't contain JavaScript. MySpace is currently using a word blacklist to validate users' HTML, which is why they were subject to the infamous Samy worm"
  • "eBay" (XML)
  • "Slashdot" (XML)
  • "TinyMCE" (XML) – matches the client-side validation done by TinyMCE.

See also