goog.labs.html.Sanitizer |
Allows in the sanitized output
<elementattr="...">
when element is in
elementNames and
attrNames is in attrNames .
If specified, opt_valueXform is a function that takes the
HTML-entity-decoded attribute value, and can choose to disallow the
attribute by returning null or substitute a new value
by returning a string with the new value.
Arguments:
|
code » | ||||||
Adds the element names to the white-list of elements that are allowed
in the safe HTML output.
Allowing elements does not, by itself, allow any attributes on those elements.
Arguments:
|
code » | ||||||
Yields a string of safe HTML that contains all and only the safe
text-nodes and elements in the input.
For the purposes of this function, "safe" is defined thus:
|
code » |
![]()
Maps element names to
true so the scrubber does not have to do
own property checks for every tag filtered.
Built lazily and invalidated when the white-list is modified.
|
Code » | |
![]()
Maps the lower-case names of allowed elements to attribute white-lists.
An attribute white-list maps lower-case attribute names to functions
from values to values or undefined to disallow.
The special element name
"*" contains a white-list of attributes
allowed on any tag, which is useful for attributes like title and
id which are widely available with element-agnostic meanings.
It should not be used for attributes like type whose meaning
differs based on the element on which it appears:
e.g. <input type=text> vs <style type=text/css> .
|
Code » |
![]()
Chains attribute rewriters.
Arguments:
Returns: goog.labs.html.AttributeRewriter
a function that return g(f(x)) or null if f(x) is null.
|
code » | |||
![]()
Applied automatically to URL attributes to check that they are safe as per
SafeUrl .
Arguments:
Returns: goog.html.SafeUrl | null
a URL that is equivalent to the
input or
null if the input is not a safe URL.
|
code » | |||
A new object that is as blank as possible.
Using
Object.create to create an object with
no prototype speeds up whitelist access since there's fewer prototypes
to fall-back to for a common case where an element is not in the
white-list, and reduces the chance of confusing a member of
Object.prototype with a whitelist entry.
|
code » | |||
![]()
Given an attribute name, returns a value rewriter that enforces some
minimal safety properties.
For url atributes, it checks that any protocol is on a safe set that doesn't allow script execution. It also blanket disallows CSS and event handler attributes.
Arguments:
Returns: goog.labs.html.AttributeRewriter
No description.
|
code » | |||
![]()
No description.
Arguments:
Returns: null
No description.
|
code » | |||
HTML element and attribute names may be almost arbitrary strings, but the
sanitizer is more restrictive as to what can be white-listed.
Since HTML is case-insensitive, only lower-case identifiers composed of
ASCII letters, digits, and select punctuation are allowed.
|
code » | |||
![]()
No description.
Arguments:
Returns: goog.labs.html.AttributeValue
No description.
|
code » |