labs.html.Sanitizer Extends
A sanitizer that converts untrusted, messy HTML into more regular HTML that cannot abuse high-authority constructs like the ability to execute arbitrary JavaScript.

Inheritance

Constructor

goog.labs.html.Sanitizer()

Instance Methods

Public Protected Private
allowAttributes(elementNamesattrNamesopt_rewriteValue) !goog.labs.html.Sanitizer
Allows in the sanitized output <elementattr="..."> when element is in elementNames and attrNames is in attrNames. If specified, opt_valueXform is a function that takes the HTML-entity-decoded attribute value, and can choose to disallow the attribute by returning null or substitute a new value by returning a string with the new value.
Arguments:
elementNames : !Array.<string> | string
names (or name) on which the attributes are allowed. Element names should be allowed via allowElements(...) prior to white-listing attributes. The special element name "*" has the same meaning as in CSS selectors: it can be used to white-list attributes like title and id which are widely available with element-agnostic meanings. It should not be used for attributes like type whose meaning differs based on the element on which it appears: e.g. <input type=text> vs <style type=text/css>.
attrNames : !Array.<string> | string
names (or name) of the attribute that should be allowed.
opt_rewriteValue : goog.labs.html.AttributeRewriter=
A function that receives the HTML-entity-decoded attribute value and can return null to disallow the attribute entirely or the value for the attribute as a string.

The default is the identity function ( function(x){return x}), and the value rewriter is composed with an attribute specific handler:

href, srcRequires that the value be an absolute URL with a protocol in (http, https, mailto) or a protocol relative URL.

Returns: !goog.labs.html.Sanitizer  this.
code »
allowElements(var_args) !goog.labs.html.Sanitizer
Adds the element names to the white-list of elements that are allowed in the safe HTML output.

Allowing elements does not, by itself, allow any attributes on those elements.

Arguments:
var_args : ...!string
element names that should be allowed in the safe HTML output.
Returns: !goog.labs.html.Sanitizer  this.
code »
sanitize(unsafeHtml) !string
Yields a string of safe HTML that contains all and only the safe text-nodes and elements in the input.

For the purposes of this function, "safe" is defined thus:

  • Contains only elements explicitly allowed via this.allow*.
  • Contains only attributes explicitly allowed via this.allow* and having had all relevant transformations applied.
  • Contains an end tag for all and only non-void open tags.
  • Tags nest per XHTML rules.
  • Tags do not nest beyond a finite but fairly large level.

Arguments:
unsafeHtml : !string
A string of HTML which need not originate with a trusted source.
Returns: !string  A string of HTML that contains only tags and attributes explicitly allowed by this sanitizer, and with end tags for all and only non-void elements.
code »

Instance Properties

allowedElementSet_ :
Maps element names to true so the scrubber does not have to do own property checks for every tag filtered. Built lazily and invalidated when the white-list is modified.
Code »
whitelist_ :
Maps the lower-case names of allowed elements to attribute white-lists. An attribute white-list maps lower-case attribute names to functions from values to values or undefined to disallow. The special element name "*" contains a white-list of attributes allowed on any tag, which is useful for attributes like title and id which are widely available with element-agnostic meanings. It should not be used for attributes like type whose meaning differs based on the element on which it appears: e.g. <input type=text> vs <style type=text/css>.
Code »

Static Methods

goog.labs.html.Sanitizer.chain_(fg) goog.labs.html.AttributeRewriter
Chains attribute rewriters.
Arguments:
f : goog.labs.html.AttributeRewriter
No description.
g : goog.labs.html.AttributeRewriter
No description.
Returns: goog.labs.html.AttributeRewriter  a function that return g(f(x)) or null if f(x) is null.
code »
goog.labs.html.Sanitizer.checkUrl_(attrValue) goog.html.SafeUrl  |  null
Applied automatically to URL attributes to check that they are safe as per SafeUrl.
Arguments:
attrValue : goog.labs.html.AttributeValue
a decoded attribute value.
Returns: goog.html.SafeUrl  |  null  a URL that is equivalent to the input or null if the input is not a safe URL.
code »
goog.labs.html.Sanitizer.createBlankObject_() !Object.<string,? >
A new object that is as blank as possible. Using Object.create to create an object with no prototype speeds up whitelist access since there's fewer prototypes to fall-back to for a common case where an element is not in the white-list, and reduces the chance of confusing a member of Object.prototype with a whitelist entry.
Returns: !Object.<string,? >  a reference to a newly allocated object that does not alias any reference that existed prior.
code »
goog.labs.html.Sanitizer.defaultRewriterForAttr_(attrName) goog.labs.html.AttributeRewriter
Given an attribute name, returns a value rewriter that enforces some minimal safety properties.

For url atributes, it checks that any protocol is on a safe set that doesn't allow script execution.

It also blanket disallows CSS and event handler attributes.

Arguments:
attrName : string
lower-cased attribute name.
Returns: goog.labs.html.AttributeRewriter  No description.
code »
goog.labs.html.Sanitizer.disallow_(x) null
No description.
Arguments:
x : goog.labs.html.AttributeValue
No description.
Returns: null  No description.
code »
goog.labs.html.Sanitizer.isValidHtmlName_(name) boolean
HTML element and attribute names may be almost arbitrary strings, but the sanitizer is more restrictive as to what can be white-listed. Since HTML is case-insensitive, only lower-case identifiers composed of ASCII letters, digits, and select punctuation are allowed.
Arguments:
name : string
No description.
Returns: boolean  true iff name is a valid white-list key.
code »
goog.labs.html.Sanitizer.valueIdentity_(x) goog.labs.html.AttributeValue
No description.
Arguments:
x : goog.labs.html.AttributeValue
No description.
Returns: goog.labs.html.AttributeValue  No description.
code »

Package labs.html

Package Reference