sanitizer.js
No description.

File Location

/goog/labs/html/sanitizer.js

Classes

goog.labs.html.Sanitizer
A sanitizer that converts untrusted, messy HTML into more regular HTML that cannot abuse high-authority constructs like the ability to execute arbitrary JavaScript.

Public Protected Private

Global Functions

goog.labs.html.Sanitizer.chain_(fg) goog.labs.html.AttributeRewriter
Chains attribute rewriters.
Arguments:
f : goog.labs.html.AttributeRewriter
No description.
g : goog.labs.html.AttributeRewriter
No description.
Returns: goog.labs.html.AttributeRewriter  a function that return g(f(x)) or null if f(x) is null.
code »
goog.labs.html.Sanitizer.checkUrl_(attrValue) goog.html.SafeUrl  |  null
Applied automatically to URL attributes to check that they are safe as per SafeUrl.
Arguments:
attrValue : goog.labs.html.AttributeValue
a decoded attribute value.
Returns: goog.html.SafeUrl  |  null  a URL that is equivalent to the input or null if the input is not a safe URL.
code »
goog.labs.html.Sanitizer.createBlankObject_() !Object.<string,? >
A new object that is as blank as possible. Using Object.create to create an object with no prototype speeds up whitelist access since there's fewer prototypes to fall-back to for a common case where an element is not in the white-list, and reduces the chance of confusing a member of Object.prototype with a whitelist entry.
Returns: !Object.<string,? >  a reference to a newly allocated object that does not alias any reference that existed prior.
code »
goog.labs.html.Sanitizer.defaultRewriterForAttr_(attrName) goog.labs.html.AttributeRewriter
Given an attribute name, returns a value rewriter that enforces some minimal safety properties.

For url atributes, it checks that any protocol is on a safe set that doesn't allow script execution.

It also blanket disallows CSS and event handler attributes.

Arguments:
attrName : string
lower-cased attribute name.
Returns: goog.labs.html.AttributeRewriter  No description.
code »
goog.labs.html.Sanitizer.disallow_(x) null
No description.
Arguments:
x : goog.labs.html.AttributeValue
No description.
Returns: null  No description.
code »
goog.labs.html.Sanitizer.isValidHtmlName_(name) boolean
HTML element and attribute names may be almost arbitrary strings, but the sanitizer is more restrictive as to what can be white-listed. Since HTML is case-insensitive, only lower-case identifiers composed of ASCII letters, digits, and select punctuation are allowed.
Arguments:
name : string
No description.
Returns: boolean  true iff name is a valid white-list key.
code »
goog.labs.html.Sanitizer.valueIdentity_(x) goog.labs.html.AttributeValue
No description.
Arguments:
x : goog.labs.html.AttributeValue
No description.
Returns: goog.labs.html.AttributeValue  No description.
code »

Directory html

File Reference