<!--…-->
that escape even things that might
be an end tag for the corresponding open tag.http
,
https
, and mailto
.style="<CSS>"
to sanitized CSS which allows
color, font-size, type-face, and other styling using the default schema;
but which does not allow content to escape its clipping context.style="<CSS>"
to sanitized CSS which allows
color, font-size, type-face, and other styling using the given schema.out
.out
and that notifies
any listener
of any dropped tags and attributes.<p>
,
<h1>
, etc.</foo>
is seen in the input.</elementName>
.rel
attribute values leaking information to the linked site,
and prevents the linked page from redirecting your page to a phishing site
when opened from a third-party link from your site.allow
.HtmlPolicyBuilder.allowUrlProtocols(java.lang.String...)
.<b>
, <i>
, etc.matching(...)
.HtmlChangeListener
.HtmlSanitizer
.<img>
elements from HTTP, HTTPS, and relative sources.HtmlStreamRenderer.openDocument()
has been called and
HtmlStreamRenderer.closeDocument()
has not subsequently been called.allow*
calls.allow*
calls to those
matching the pattern.allow*
calls to those
matching the given predicate.allow*
calls to those
supplied.allow*
calls to those
supplied.matching(...)
.<foo bar=baz>
is seen in the input.HtmlSanitizer
configurable via a flexible
HtmlPolicyBuilder
.rel=nofollow
to links.rel="..."
to <a href="...">
tags beyond those in
HtmlPolicyBuilder.DEFAULT_RELS_ON_TARGETTED_LINKS
.HtmlPolicyBuilder.DEFAULT_RELS_ON_TARGETTED_LINKS
from being added
to links, and reverses prestyle="..."
attributes.HtmlPolicyBuilder.build(org.owasp.html.HtmlStreamEventReceiver)
but can be reused to create many different policies
each backed by a different output channel.Copyright © 2016 OWASP. All rights reserved.