HTML - Escape / Sanitizer

HTML - Escape / Sanitizer

About

A sanitizer is a program that will:

This is to avoid script injection and should be used on the server side (ie not client) to validate/transform all inputs.

Example of sanitizing

Description
From
To
Delete the onerror event handler
<img src=x onerror=alert(1)//>

<img src="x">
Delete the onload and makes the svg XHTML conform
<svg><g/onload=alert(2)//<p>

<svg><g></g></svg>
Delete the iframe
<p>abc<iframe//src=jAva&Tab;script:alert(3)>def</p>

<p>abc</p>
Delete the script node
<math><mi//xlink:href="data:x,<script>alert(4)</script>">

<math><mi></mi></math>
Make the HTML conform
<TABLE><tr><td>HELLO</tr></TABL>
<UL><li><A HREF=//google.com>click</UL>

<table><tbody><tr><td>HELLO</td></tr></tbody></table>
<ul><li><a href="//google.com">click</a></li></ul>

Usage

Library




Discover More
HTML - Not validating user input (malign script execution)

For a secure application, when accepting untrusted input, e.g. user-generated content such as: text comments, values in URL parameters, messages from third-party sites, etc, it is imperative...
HTML - Security (Secure applications)

This article is security when writing an application that shows HTML pages. HTMLHTTP security page HTML is a programming language that can download and run script. Therefore, you should be extremely...
Prosemirror Dom
How Rich Text editor in HTML are made (Principles and Demo)

How do you create a Rich Text editor in HTML, what are the well-known text editor and what are the principals. This article includes also a basic example where you can extend from to build your own
Web Security - Cross-site scripting (XSS)

cross-site scripting (XSS) is a injection security vulnerability that happens when external javascript code is injected in the page via user input. Injected JavaScript can then steal authentication tokens...



Share this page:
Follow us:
Task Runner