HTML - Escape / Sanitizer

Table of Contents

HTML - Escape / Sanitizer

About

A sanitizer is a program that will:

not accept all HTML elements
and or transform them as text (escape)

This is to avoid script injection and should be used on the server side (ie not client) to validate/transform all inputs.

Articles Related

Example of sanitizing

Description

From

To

Delete the onerror event handler

<img src=x onerror=alert(1)//>

<img src="x">

Delete the onload and makes the svg XHTML conform

<svg><g/onload=alert(2)//<p>

<svg><g></g></svg>

Delete the iframe

<p>abc<iframe//src=jAva&Tab;script:alert(3)>def</p>

<p>abc</p>

Delete the script node

<math><mi//xlink:href="data:x,<script>alert(4)</script>">

<math><mi></mi></math>

Make the HTML conform

<TABLE><tr><td>HELLO</tr></TABL>
<UL><li><A HREF=//google.com>click</UL>

<table><tbody><tr><td>HELLO</td></tr></tbody></table>
<ul><li><a href="//google.com">click</a></li></ul>

Usage

The input of a form application such as an editor
The input of a web service call.

Library

Data (State)
Data (State)
DataBase
Data Processing
Data Quality
Data Structure
Data Type
Data Warehouse
Data Visualization
Data Partition
Data Persistence
Data Concurrency

Data Science
Data Analysis
Statistics
Data Science
Linear Algebra Mathematics
Trigonometry

Modeling
Process
Logical Data Modeling
Relational Modeling
Dimensional Modeling
Automata

Data Type
Number
Time
Text
Collection
Relation (Table)
Cube
Tree
Key/Value
Graph
Spatial
Color
Log

Measure Levels
Order
Nominal
Discrete
Distance
Ratio

Code
Compiler
Lexical Parser
Grammar
Function
Testing
Debugging
Shipping
Data Type
Versioning
Design Pattern

Infrastructure
Operating System
Cryptography
Security
File System
Network
Process (Thread)
Computer
PerfCounter
Infra As Code

Marketing
Advertising
Analytics
Email

Web
Html
Dom
Http
Url
Css
Javascript
Selector
Browser
Web Services
OAuth

Contact
[email protected]
Privacy Policy
Status

Powered by ComboStrap