Content deleted Content added
Expanded on allowed tags, introduced blacklists and whitelists, added examples of sanitization libraries |
making a reference look tidier. |
||
Line 7:
Sanitization is typically performed by using either a [[whitelist]] or a [[Blacklist (computing)|blacklist]] approach. An item left off a whitelist, makes the sanitization produce HTML code that lacks safe elements. If an item is left off a blacklist, a vulnerability will be present in the sanitized HTML output. New unsafe HTML features, introduced after a blacklist has been defined, causes the blacklist to become out of date.
In [[PHP]], HTML sanitization can be performed using the <code>strip_tags()</code> or <code>htmlspecialchars()</code> functions.<ref>http://www.php.net/strip_tags</ref><ref>{{cite web|url=http://php.net/manual/en/function.htmlspecialchars.php|title=htmlspecialchars|publisher=PHP.NET}}</ref> The HTML Purifier library is another popular option for PHP applications.<ref>http://www.htmlpurifier.org</ref>
In [[Java (programming language)|Java]] (and [[.NET Framework|.NET]]), sanitization can be achieved by using the [[OWASP]] Java HTML Sanitizer Project.<ref>https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project</ref>
| |||