Difference between revisions of "html-stripping-examples"

From Microformats Wiki
Jump to navigation Jump to search
(added HTMLPurifier)
(adding django-bleach)
 
Line 29: Line 29:
  
 
* Extensively configurable, can do things like selective CSS stripping, rewriting deprecated presentational elements as inline CSS, etc.
 
* Extensively configurable, can do things like selective CSS stripping, rewriting deprecated presentational elements as inline CSS, etc.
 +
 +
== Django-Bleach (Python/Django) ==
 +
[https://github.com/jsocol/bleach Github repository]
 +
 +
html5lib-based.
 +
 +
* Default allowed tags: <kbd>a</kbd>, <kbd>abbr</kbd>, <kbd>acronym</kbd>, <kbd>b</kbd>, <kbd>blockquote</kbd>, <kbd>code</kbd>, <kbd>em</kbd>, <kbd>i</kbd>, <kbd>li</kbd>, <kbd>ol</kbd>, <kbd>strong</kbd>, <kbd>ul</kbd>
 +
* Default allowed attributes: <kbd>a[@href]</kbd>, <kbd>a[@title]</kbd>, <kbd>abbr[@title]</kbd>, <kbd>acronym[@title]</kbd>
 +
* Default DNS TLDs: ac ad ae aero af ag ai al am an ao aq ar arpa as asia at au aw ax az ba bb bd be bf bg bh bi biz bj bm bn bo br bs bt bv bw by bz ca cat cc cd cf cg ch ci ck cl cm cn co com coop cr cu cv cx cy cz de dj dk dm do dz ec edu ee eg er es et eu fi fj fk fm fo fr ga gb gd ge gf gg gh gi gl gm gn gov gp gq gr gs gt gu gw gy hk hm hn hr ht hu id ie il im in info int io iq ir is it je jm jo jobs jp ke kg kh ki km kn kp kr kw ky kz la lb lc li lk lr ls lt lu lv ly ma mc md me mg mh mil mk ml mm mn mo mobi mp mq mr ms mt mu museum mv mw mx my mz na name nc ne net nf ng ni nl no np nr nu nz om org pa pe pf pg ph pk pl pm pn pr pro ps pt pw py qa re ro rs ru rw sa sb sc sd se sg sh si sj sk sl sm sn so sr st su sv sy sz tc td tel tf tg th tj tk tl tm tn to tp tr travel tt tv tw tz ua ug uk us uy uz va vc ve vg vi vn vu wf ws xn ye yt yu za zm zw
 +
* Also allows for cleaning CSS to match a particular whitelist
 +
* Also does linkifying, SVG property cleanup.
  
 
== See also ==
 
== See also ==
 
* [https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet XSS Filter Evasion Cheat Sheet]
 
* [https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet XSS Filter Evasion Cheat Sheet]

Latest revision as of 21:03, 15 September 2013

This page documents existing library code that strips elements and attributes from HTML for "safe" display of HTML (e.g. for embedding).

jsoup (Java)

Details

  • none – "This whitelist allows only text nodes: all HTML will be stripped."
  • simpleText – "This whitelist allows only simple text formatting: b, em, i, strong, u"
  • basic – "This whitelist allows a fuller range of text nodes: a, b, blockquote, br, cite, code, dd, dl, dt, em, i, li, ol, p, pre, q, small, strike, strong, sub, sup, u, ul, and appropriate attributes."
  • relaxed – "This whitelist allows a full range of text and structural body HTML: a, b, blockquote, br, caption, cite, code, col, colgroup, dd, dl, dt, em, h1, h2, h3, h4, h5, h6, i, img, li, ol, p, pre, q, small, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, u, ul"

Problems: doesn't support new elements defined in HTML5.

AntiSamy Project (Java, .NET)

Homepage, Download page on Google Code

Different profiles can be defined in an XML file. The distribution contains the following sample profiles:

  • "Anything goes" (XML): "If you wanted to allow every single valid HTML and CSS element (but without JavaScript or blatant CSS-related phishing attacks), you can use this policy file."
  • "MySpace" (XML): "Users are allowed to submit pretty much all HTML and CSS they want - as long as it doesn't contain JavaScript. MySpace is currently using a word blacklist to validate users' HTML, which is why they were subject to the infamous Samy worm"
  • "eBay" (XML)
  • "Slashdot" (XML)
  • "TinyMCE" (XML) – matches the client-side validation done by TinyMCE.

HTML Purifier (PHP)

Homepage, GitHub

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.

  • Extensively configurable, can do things like selective CSS stripping, rewriting deprecated presentational elements as inline CSS, etc.

Django-Bleach (Python/Django)

Github repository

html5lib-based.

  • Default allowed tags: a, abbr, acronym, b, blockquote, code, em, i, li, ol, strong, ul
  • Default allowed attributes: a[@href], a[@title], abbr[@title], acronym[@title]
  • Default DNS TLDs: ac ad ae aero af ag ai al am an ao aq ar arpa as asia at au aw ax az ba bb bd be bf bg bh bi biz bj bm bn bo br bs bt bv bw by bz ca cat cc cd cf cg ch ci ck cl cm cn co com coop cr cu cv cx cy cz de dj dk dm do dz ec edu ee eg er es et eu fi fj fk fm fo fr ga gb gd ge gf gg gh gi gl gm gn gov gp gq gr gs gt gu gw gy hk hm hn hr ht hu id ie il im in info int io iq ir is it je jm jo jobs jp ke kg kh ki km kn kp kr kw ky kz la lb lc li lk lr ls lt lu lv ly ma mc md me mg mh mil mk ml mm mn mo mobi mp mq mr ms mt mu museum mv mw mx my mz na name nc ne net nf ng ni nl no np nr nu nz om org pa pe pf pg ph pk pl pm pn pr pro ps pt pw py qa re ro rs ru rw sa sb sc sd se sg sh si sj sk sl sm sn so sr st su sv sy sz tc td tel tf tg th tj tk tl tm tn to tp tr travel tt tv tw tz ua ug uk us uy uz va vc ve vg vi vn vu wf ws xn ye yt yu za zm zw
  • Also allows for cleaning CSS to match a particular whitelist
  • Also does linkifying, SVG property cleanup.

See also