html-stripping-examples

(Difference between revisions)

Jump to: navigation, search
(started documenting)
(adding AntiSamy Project)
Line 10: Line 10:
Problems: doesn't support new elements defined in HTML5.
Problems: doesn't support new elements defined in HTML5.
 +
 +
== AntiSamy Project (Java, .NET) ==
 +
[https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project Homepage], [http://code.google.com/p/owaspantisamy/downloads/list Download page on Google Code]
 +
 +
Different profiles can be defined in an XML file. The distribution contains the following sample profiles:
 +
 +
* "Anything goes" ([http://code.google.com/p/owaspantisamy/source/browse/Java/antisamy-sample-configs/src/main/resources/antisamy-anythinggoes.xml XML]): "If you wanted to allow every single valid HTML and CSS element (but without JavaScript or blatant CSS-related phishing attacks), you can use this policy file."
 +
* "MySpace" ([http://code.google.com/p/owaspantisamy/source/browse/Java/antisamy-sample-configs/src/main/resources/antisamy-myspace.xml XML]): "Users are allowed to submit pretty much all HTML and CSS they want - as long as it doesn't contain JavaScript. MySpace is currently using a word blacklist to validate users' HTML, which is why they were subject to the infamous Samy worm"
 +
* "eBay" ([http://code.google.com/p/owaspantisamy/source/browse/Java/antisamy-sample-configs/src/main/resources/antisamy-ebay.xml XML])
 +
* "Slashdot" ([http://code.google.com/p/owaspantisamy/source/browse/Java/antisamy-sample-configs/src/main/resources/antisamy-slashdot.xml XML])
 +
* "TinyMCE" ([http://code.google.com/p/owaspantisamy/source/browse/Java/antisamy-sample-configs/src/main/resources/antisamy-tinymce.xml XML]) – matches the client-side validation done by TinyMCE.
== See also ==
== See also ==
* [https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet XSS Filter Evasion Cheat Sheet]
* [https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet XSS Filter Evasion Cheat Sheet]

Revision as of 13:37, 15 September 2013

This page documents existing library code that strips elements and attributes from HTML for "safe" display of HTML (e.g. for embedding).

jsoup (Java)

Details

Problems: doesn't support new elements defined in HTML5.

AntiSamy Project (Java, .NET)

Homepage, Download page on Google Code

Different profiles can be defined in an XML file. The distribution contains the following sample profiles:

See also

html-stripping-examples was last modified: Wednesday, December 31st, 1969

Views