HTML sanitization: Difference between revisions

Content deleted Content added
Split article in general description and implementations, elaborated on the process.
Clean up, typo(s) fixed: Futher → Further using AWB
Line 2:
'''HTML sanitization''' is the process of examining an HTML document and producing a new HTML document that preserves only whatever tags are designated "safe" and desired. HTML sanitization can be used to protect against [[cross-site scripting|cross-site scripting (XSS)]] attacks by sanitizing any HTML code submitted by a user.
 
Basic tags for changing fonts are often allowed, such as <code>&lt;b&gt;</code>, <code>&lt;i&gt;</code>, <code>&lt;u&gt;</code>, <code>&lt;em&gt;</code>, and <code>&lt;strong&gt;</code> while more advanced tags such as <code>&lt;script&gt;</code>, <code>&lt;object&gt;</code>, <code>&lt;embed&gt;</code>, and <code>&lt;link&gt;</code> are removed by the sanitization process. Also potentially dangerous attributes such as the <code>onclick</code> attribute are removed in order to prevent malicious code from being injected.
 
Sanitization is typically performed by using either a [[whitelist]] or a [[Blacklist (computing)|blacklist]] approach. An item left off a whitelist, makes the sanitization produce HTML code that lacks safe elements. If an item is left off a blacklist, a vulnerability will be present in the sanitized HTML output. New unsafe HTML features, introduced after a blacklist has been defined, causes the blacklist to become out of date.
 
FutherFurther sanitization can be performed based on rules which specify what operation is to be performed on the subject tags. Typical operations include removal of the tag itself while preserving the content, preserving only the textual content of a tag or forcing certain values on attributes.<ref>https://github.com/Vereyon/HtmlRuleSanitizer</ref>
 
== Implementations ==