HTMLDocument::WhiteList
Constructors
- UltraSafe()
- InlineOnly(HTMLDocument::ConversionSafety sa)
- AllElements(HTMLDocument::ConversionSafety sb)
- Unchecked()
- CustomWhitelist(Dict::Dict<String, [String]> whitelist)
Usage
When converting from a String to HTML, rather than simply adding a String to an existing element where it will be escaped, the elements allowed in the conversion should depend on how trustworthy the String is. Generally, any unauthenticated user-supplied data should be treated extremely cautiously, and even authenticated user-supplied data should be treated with some caution in case the authentication is broken.
Use of String to HTML conversion allows potential for cross-site scripting attacks against your application, especially if the allowed element list is generous.
UltraSafe- removes all tags and attributes. This differs from adding the string directly as text, which escapes them. This conversion method is immune to cross-site scripting.InlineOnly- allows only inline elements.AllElements- allows inline and block elements.Unchecked- allows all tags and attributes. Use this only on completely trusted data, as it allows trivial cross-site scripting attacks if an attacker can control the String being converted.CustomWhitelist- create your own whitelist of elements. The whitelist is a Dict with the allowed elements as the key and the list of allowed attributes for that element as the value. The string "*" will match any element as the key, or any attribute as an item in the value list, which is generally not a good idea for anything other than completely trusted data.
For the InlineOnly and AllElements options, you also need to select a ConversionSafety.
