About
A sanitizer is a program that will:
- not accept all HTML elements
This is to avoid script injection and should be used on the server side (ie not client) to validate/transform all inputs.
Example of sanitizing
Description
From
To
Delete the script node
<math><mi//xlink:href="data:x,<script>alert(4)</script>">
<math><mi></mi></math>
Make the HTML conform
<TABLE><tr><td>HELLO</tr></TABL>
<UL><li><A HREF=//google.com>click</UL>
<table><tbody><tr><td>HELLO</td></tr></tbody></table>
<ul><li><a href="//google.com">click</a></li></ul>
Usage
- The input of a form application such as an editor
- The input of a web service call.