Revision as of 00:36, 16 March 2013 edit 1.164.210.15 (talk) No edit summary ← Previous edit		Revision as of 12:51, 23 May 2013 edit undo Tamzin (talk \| contribs) Edit filter managers, Autopatrolled, Administrators 74,685 edits m <code> on HTML tags Next edit →
Line 2: '''HTML sanitization''' is the process of examining an HTML document and producing a new HTML document that preserves only whatever tags are designated "safe". HTML sanitization can be used to protect against [[cross-site scripting\|cross-site scripting (XSS)]] attacks by sanitizing any HTML code submitted by a user. Basic tags for changing fonts are often allowed, such as <~~nowiki~~code><<b>></~~nowiki~~code>, <~~nowiki~~code><<i>></~~nowiki~~code>, <~~nowiki~~code><<u>></~~nowiki~~code>, <~~nowiki~~code><<em>></~~nowiki~~code>, and <~~nowiki~~code><<strong>></~~nowiki~~code> while more advanced tags such as <~~nowiki~~code><<script>></~~nowiki~~code>, <~~nowiki~~code><<object>></~~nowiki~~code>, <~~nowiki~~code><<embed>></~~nowiki~~code>, and <~~nowiki~~code><<link>></~~nowiki~~code> are removed by the sanitization process. Sanitization is typically performed by using either a [[whitelist]] or a [[Blacklist (computing)\|blacklist]] approach. An item left off a whitelist, makes the sanitization produce HTML code that lacks safe elements. If an item is left off a blacklist, a vulnerability will be present in the sanitized HTML output. New unsafe HTML features, introduced after a blacklist has been defined, causes the blacklist to become out of date.

HTML sanitization: Difference between revisions