1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
= Whitewash - whitelist-based HTML filter for Ruby
This module allows Ruby programs to clean up any HTML document or
fragment coming from an untrusted source and to remove all dangerous
constructs that could be used for cross-site scripting or request
forgery.
== Synopsys
require 'whitewash'
whitewash = Whitewash.new # use default whitelist.yaml
clean_xhtml = whitewash.sanitize(html)
== Summary
All HTML tags, attribute names and values, and CSS properties are
filtered through a whitelist that defines which names and what kinds of
values are allowed, everything that doesn't match the whitelist is
removed.
The whitelist is provided externally, default whitelist is loaded from
the whitelist.yaml shipped with Whitewash. The default is most strict
(for example, it does not allow cross-site links to images in IMG tags)
and can be considered safe for all uses. If you find that it lets
anything exploitable through, please report it as a bug to Whitewash
developers.
An alternative whitelist is provided for HTML5 in html5_whitelist.yaml.
This whitelist is as much a work in progress as HTML5 standard itself,
use at your own risk.
== External Dependencies
Whitewash relies on Nokogiri to parse arbitrary HTML and put it back
together as valid XHTML:
* http://nokogiri.org/
== Copying
Copyright (c) 2002-2011 Dmitry Borodaenko <angdraug@debian.org>
This program is free software.
You can distribute/modify this program under the terms of the GNU
General Public License version 3 or later.
|
