Revision as of 23:32, 30 September 2015 edit Yamaguchi先生 (talk \| contribs) Autopatrolled, Administrators 115,641 edits Clean up, typo(s) fixed: Futher → Further using AWB ← Previous edit		Revision as of 19:18, 22 August 2017 edit undo 128.187.112.6 (talk) Clarifying risks of a blacklist over a whitelist Next edit →
Line 4: Basic tags for changing fonts are often allowed, such as <code><b></code>, <code><i></code>, <code><u></code>, <code><em></code>, and <code><strong></code> while more advanced tags such as <code><script></code>, <code><object></code>, <code><embed></code>, and <code><link></code> are removed by the sanitization process. Also potentially dangerous attributes such as the <code>onclick</code> attribute are removed in order to prevent malicious code from being injected. Sanitization is typically performed by using either a [[whitelist]] or a [[Blacklist (computing)\|blacklist]] approach. AnLeaving ~~item~~a ~~left~~safe HTML element off a whitelist, ~~makes~~is ~~the~~not ~~sanitization~~so ~~produce~~serious; ~~HTML~~it ~~code~~simply means that ~~lacks~~that ~~safe~~feature ~~elements~~will not be included post-sanitation. IfOn the other hand, if an ~~item~~unsafe element is left off a blacklist, athen the vulnerability will not be ~~present~~sanitized inout ~~the~~of ~~sanitized~~the HTML output. ~~New~~An ~~unsafe~~out-of-date ~~HTML~~blacklist ~~features,~~can ~~introduced~~therefore ~~after~~be adangerous ~~blacklist~~if ~~has~~new, ~~been~~unsafe ~~defined,~~features ~~causes~~have ~~the~~been ~~blacklist~~introduced to ~~become~~the ~~out~~HTML ~~of date~~Standard. Further sanitization can be performed based on rules which specify what operation is to be performed on the subject tags. Typical operations include removal of the tag itself while preserving the content, preserving only the textual content of a tag or forcing certain values on attributes.<ref>https://github.com/Vereyon/HtmlRuleSanitizer</ref>

HTML sanitization: Difference between revisions