trust_html

Usage

Pass HTML to: TrustHtml.sanitize(“<div onclick="alert(‘hi’;)">Hello world</div><img src="javascript:alert(‘xss’);"/><SCRIPT>alert("xss");</SCRIPT><body background="javascript:alert(‘xss’)">”)

=> "<div>Hello world</div><img>"

Configuration

So far you can only customize the methods for processing URL’s and DOM ID’s that are in the HTML provided. These methods are in JS and are passed local variables ‘url’ and ‘id’ respectively for you to decide whether to allow/rewrite/deny the value.

• TrustHtml::Sanitizer::URL_SANITIZER_METHOD_BODY

• TrustHtml::Sanitizer::ID_SANITIZER_METHOD_BODY

You can also customize further (rewrite attributes, more complex rules, change whitelists, etc) by customizing html-sanitizer.js and html4-defs.js. If modified you will need to set the following:

• TrustHtml::Sanitizer::HTML_SANITIZER_PATH

• TrustHtml::Sanitizer::HTML_DEFS_PATH

Copyright

Copyright © 2011 Cary Dunn. See LICENSE.txt for further details.