html-stripping-examples

(Difference between revisions)

Jump to: navigation, search
(adding AntiSamy Project)
(added HTMLPurifier)
Line 21: Line 21:
* "Slashdot" ([http://code.google.com/p/owaspantisamy/source/browse/Java/antisamy-sample-configs/src/main/resources/antisamy-slashdot.xml XML])
* "Slashdot" ([http://code.google.com/p/owaspantisamy/source/browse/Java/antisamy-sample-configs/src/main/resources/antisamy-slashdot.xml XML])
* "TinyMCE" ([http://code.google.com/p/owaspantisamy/source/browse/Java/antisamy-sample-configs/src/main/resources/antisamy-tinymce.xml XML]) – matches the client-side validation done by TinyMCE.
* "TinyMCE" ([http://code.google.com/p/owaspantisamy/source/browse/Java/antisamy-sample-configs/src/main/resources/antisamy-tinymce.xml XML]) – matches the client-side validation done by TinyMCE.
 +
 +
== HTML Purifier (PHP) ==
 +
 +
[http://htmlpurifier.org/ Homepage], [https://github.com/ezyang/htmlpurifier GitHub]
 +
 +
<blockquote>HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.</blockquote>
 +
 +
* Extensively configurable, can do things like selective CSS stripping, rewriting deprecated presentational elements as inline CSS, etc.
== See also ==
== See also ==
* [https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet XSS Filter Evasion Cheat Sheet]
* [https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet XSS Filter Evasion Cheat Sheet]

Revision as of 20:38, 15 September 2013

This page documents existing library code that strips elements and attributes from HTML for "safe" display of HTML (e.g. for embedding).

Contents

jsoup (Java)

Details

Problems: doesn't support new elements defined in HTML5.

AntiSamy Project (Java, .NET)

Homepage, Download page on Google Code

Different profiles can be defined in an XML file. The distribution contains the following sample profiles:

HTML Purifier (PHP)

Homepage, GitHub

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.

See also

html-stripping-examples was last modified: Wednesday, December 31st, 1969

Views