html-sanitizing

问题 I am sanitizing the current html (string value), I want to know if is possible only allow certains attributes. In this example the string only should keep the "id" attribute. Like this: <h1 id="header">DomSanitizer</h1><script>ourSafeCode()</script>'); This is an example of my component. import {BrowserModule, DomSanitizer} from '@angular/platform-browser' @Component({ selector: 'my-app', template: ` <div [innerHtml]="html"></div> `, }) export class App { constructor(private sanitizer:

问题 I use <div [innerHTML]="body"></div> to pass unescaped HTML to my template, and when I pass to body div with attribute id , Angular throw: WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss). WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss). WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss). See. plunker So why it says this? What can be dangerous id in div ? Could this bug? 回答1: It is because id

问题 Is there a library or acceptable method for sanitizing the input to an html page? In this case I have a form with just a name, phone number, and email address. Code must be C#. For example: "<script src='bobs.js'>John Doe</script>" should become "John Doe" 回答1: We are using the HtmlSanitizer .Net library, which: Is open-source (MIT) - GitHub link Is fully customizable, e.g configure which elements should be removed. see wiki Is actively maintained Doesn't have the problems like Microsoft Anti

问题 Is there a library or acceptable method for sanitizing the input to an html page? In this case I have a form with just a name, phone number, and email address. Code must be C#. For example: "<script src='bobs.js'>John Doe</script>" should become "John Doe" 回答1: We are using the HtmlSanitizer .Net library, which: Is open-source (MIT) - GitHub link Is fully customizable, e.g configure which elements should be removed. see wiki Is actively maintained Doesn't have the problems like Microsoft Anti

问题 I'm trying to tackle the classic "user input sanitisation" problem on my new web app and I chose to use Google Caja's HTML Sanitizer server-side for this task. Although the implementation + testing went fine, I still have some questions : 1) I could only find the HTML4 definitions, does this mean that HTML5 tags wouldn't be safe ? I did some tests with HTML 5 specific tag / attribute XSS's and although none of them worked I'm not 100% sure that some untested ones wouldn't work. 2) Google Caja

问题 is there a clean way to remove all html tag of all attributes before validation I found acts_as_sanitized that seemed to be perfect, but for rails 2 :-s thanks 回答1: The sanitize gem: https://github.com/rgrove/sanitize Does what you need. Call Sanitize.clean(htmlstring). You can whitelist allowed tags as well. 来源： https://stackoverflow.com/questions/15650609/remove-all-html-tag-before-validation

问题 In the htmlspecialchars function, if you set the ENT_SUBSTITUTE flag, it is supposed to replace some invalid characters. What characters are replaced? And what is the mapping between the invalid characters and the ones that are used to replace it? 回答1: There is only one, universal replacement character: U+FFFD. If you are writing out UTF-8, then this codepoint is appropriately encoded. If not, you get the corresponding character reference � instead. There is no reversible mapping. By

问题 I am looking for a python module that will help me get rid of HTML tags but keep the text values. I tried BeautifulSoup before and I couldn't figure out how to do this simple task. I tried searching for Python modules that could do this but they all seem to be dependent on other libraries which does not work well on AppEngine. Below is a sample code from Ruby's sanitize library and that's what I am after in Python: require 'rubygems' require 'sanitize' html = '<b><a href="http://foo.com/">foo

问题 I stucked on decision how I should proceed with Markdown processing and Html sanitize. I have this user requirements for comments/articles: Users should be able to use Markdown syntax Users should be able to post youtube videos / yandex.music audios Of course, users shoudn't be trusted and their input should be validated for all kind of attacks In particular, I don't want to allow users to submit arbitrary iframes I even submitted fix to markdig library to support yandex.music in media

问题 What I want is a function I can run on user input that will intelligently find and add the width and height attributes to any <img> tag in a blob of HTML so as to avoid page-reflowing issues while images load. I am writing the posting script for a PHP forum, where a user's input is sanitised and generally made nicer before writing it to the database for later display. As an example of what I do to make things nicer, I have a script that inserts alt attributes into images like so: Here are two