HTML sanitization
 | This article needs additional citations for verification. (December 2009) |
In data sanitization, HTML sanitization is the process of examining an HTML document and producing a new HTML document that preserves only whatever tags and attributes are designated "safe" and desired. HTML sanitization can be used to protect against attacks such as cross-site scripting (XSS) by sanitizing any HTML code submitted by a user.
Details
Basic tags for changing fonts are often allowed, such as <b>, <i>, <u>, <em>, and <strong> while more advanced tags such as <script>, <object>, <embed>, and <link> are removed or escaped using HTML entities by the sanitization process. Additionally, potentially dangerous attributes, such as onclick and onfocus, are removed in order to prevent malicious code from being injected.
Sanitization is typically performed by using either a whitelist or a blacklist approach. Leaving a safe HTML element off a whitelist is not so serious; it simply means that that feature will not be included post-sanitation. On the other hand, if an unsafe element is left off a blacklist, then the vulnerability will not be sanitized out of the HTML output. An out-of-date blacklist can therefore be dangerous if new, unsafe features have been introduced to the HTML Standard.
Further sanitization can be performed based on rules which specify what operation is to be performed on the subject tags. Typical operations include removal of the tag itself while preserving the content, preserving only the textual content of a tag or forcing certain values on attributes.[1]
Implementations
In PHP, HTML sanitization can be performed using the strip_tags() function at the risk of removing all textual content following an unclosed less-than symbol or angle bracket.[2] The HTML Purifier library is another popular option for PHP applications.[3]
In Java (and .NET), sanitization can be achieved by using the OWASP Java HTML Sanitizer Project.[4]
In .NET, a number of sanitizers use the Html Agility Pack, an HTML parser.[5][6][1] Another library is HtmlSanitizer.[7]
In JavaScript there are "JS-only" sanitizers for the back end, and browser-based[8] implementations that use browser's own Document Object Model (DOM) parser to parse the HTML (for better performance).
References
- ^ a b "HtmlRuleSanitizer". GitHub. 13 August 2021.
- ^ "strip_tags". PHP.NET.
- ^ "HTML Purifier - Filter your HTML the standards-compliant way!". htmlpurifier.org.
- ^ "OWASP Java HTML Sanitizer".
- ^ "HTML Agility Pack - Home". Archived from the original on 2013-01-01. Retrieved 2013-01-04.
- ^ "Whitelist santize with HtmlAgilityPack". 14 June 2011.
- ^ Ganss, Michael (5 December 2023). "HtmlSanitizer". Retrieved 7 December 2023.
- ^ "JS HTML Sanitizer". GitHub. 14 October 2021.
Content Disclaimer
Informasi ini disarikan dari Wikipedia dan disajikan kembali untuk tujuan edukasi. Konten tersedia di bawah lisensi CC BY-SA 3.0. Kami tidak bertanggung jawab atas ketidakakuratan data yang bersumber dari kontribusi publik tersebut.
- The information displayed on this website is sourced in part or in whole from Wikipedia and has been adapted for the purpose of restating it. We strive to provide accurate and relevant information, however:
- There is no guarantee of absolute accuracy. Wikipedia is an open, collaborative project that can be edited by anyone, so information is subject to change.
- It is not intended to constitute professional advice. The content displayed is for informational and educational purposes only. For important decisions (e.g., medical, legal, or financial), please consult a professional.
- Content copyright. Wikipedia is licensed under the Creative Commons Attribution-ShareAlike License (CC BY-SA). This means that content may be reused with appropriate attribution and shared under a similar license.
- Responsible use. Any risk arising from the use of information from this website is entirely the responsibility of the user.