Name: java-html-sanitizer
Owner: OWASP
Description: Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Created: 2015-04-27 16:26:27.0
Updated: 2018-05-23 10:02:41.0
Pushed: 2018-03-06 17:04:11.0
Size: 27983
Language: Java
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
A fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.
The existing dependencies are on guava and JSR 305. The other jars are only needed by the test suite. The JSR 305 dependency is a compile-only dependency, only needed for annotations.
This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review.
Getting Started includes instructions on how to get started with or without Maven.
You can use prepackaged policies:
cyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
ng safeHTML = policy.sanitize(untrustedHTML);
or the tests show how to configure your own policy:
cyFactory policy = new HtmlPolicyBuilder()
.allowElements("a")
.allowUrlProtocols("https")
.allowAttributes("href").onElements("a")
.requireRelNofollowOnLinks()
.toFactory();
ng safeHTML = policy.sanitize(untrustedHTML);
or you can write
custom policies
to do things like changing h1
s to div
s with a certain class:
cyFactory policy = new HtmlPolicyBuilder()
.allowElements("p")
.allowElements(
new ElementPolicy() {
public String apply(String elementName, List<String> attrs) {
attrs.add("class");
attrs.add("header-" + elementName);
return "div";
}
}, "h1", "h2", "h3", "h4", "h5", "h6")
.toFactory();
ng safeHTML = policy.sanitize(untrustedHTML);
Please note that the elements “a”, “font”, “img”, “input” and “span”
need to be explicitly whitelisted using the allowWithoutAttributes()
method if you want them to be allowed through the filter when these
elements do not include any attributes.
Subscribe to the mailing list to be notified of known Vulnerabilities. If you wish to report a vulnerability, please see AttackReviewGroundRules.