html-sanitizing

How to use C# to sanitize input on an html page?

Is there a library or acceptable method for sanitizing the input to an html page? In this case I have a form with just a name, phone number, and email address. Code must be C#. For example: "<script src='bobs.js'>John Doe</script>" should become "John Doe" ...

Best way to handle security and avoid XSS with user entered URLs

We have a high security application and we want to allow users to enter URLs that other users will see. This introduces a high risk of XSS hacks - a user could potentially enter javascript that another user ends up executing. Since we hold sensitive data it's essential that this never happens. What are the best practices in dealing wit...

Sanitize/Rewrite HTML on the Client Side

I need to display external resources loaded via cross domain requests and make sure to only display "save" content. Could use Prototype's String#stripScripts to remove script blocks. But handlers such as onclick or onerror are still there. Is there any library which can at least strip script blocks, kill DOM handlers, remove black l...

Simple HTML sanitizer in Javascript

I'm looking for a simple HTML santizer written in JavaScript. It doesn't need to be 100% XSS secure. I'm implementing Markdown and the WMD Markdown editor (The SO master branch from github) on my website. The problem is that the HTML that is shown in the live preview isn't filtered, like it here on SO. I am looking for a simple/quick HT...

Sanitize HTML before storing in the DB or before rendering? (AntiXSS library in ASP.NET)

I have an editor that lets users add HTML that is stored in the database and rendered on a web page. Since this is untrusted input, I plan to use Microsoft.Security.Application.AntiXsSS.GetSafeHtmlFragment to sanitize the HTML. Should I santiize before saving to the database or before rendering the untrusted input into the webpage? Is ...

Rails Sanitize: Safety + Allowing Embeds

We're building a user generated content site where we want to allow users to be able to embed things like videos, slideshares, etc... Can anyone recommend a generally accepted list of tags / attributes to allow in rails sanitize that will give us pretty good security, while still allowing a good amount of the embedable content / html for...

Remove HTML tags in AppEngine Python Env (equivalent to Ruby's Sanitize)

Hello Everyone, I am looking for a python module that will help me get rid of HTML tags but keep the text values. I tried BeautifulSoup before and I couldn't figure out how to do this simple task. I tried searching for Python modules that could do this but they all seem to be dependent on other libraries which does not work well on AppE...

Sanitizing input for display in view when using simple_format

Hi, I'm trying to figure out the right way to display comments such that newlines and links are displayed. I know that usually, you should display user-inputs only when escaping html with h(). That of course won't display newlines or links, so I found the simple_format and auto_link methods. What I am now doing is: simple_format(santiz...

Cleaning mixed type <script> tags

I'm cleaning HTML using cyberneko and xerces. However , some $#@@!@@ websites still use BOTH <script>...</script> and <script.../> So what happens is this : given <script..../> <div> Some Text </div> <script> scripting stuff </script> , neko parses all the above line as a script , so I get <script..../> &lt div &gt Some Text...

Automatically adding width and height attributes to <img> tags with a PHP function

What I want is a function I can run on user input that will intelligently find and add the width and height attributes to any <img> tag in a blob of HTML so as to avoid page-reflowing issues while images load. I am writing the posting script for a PHP forum, where a user's input is sanitised and generally made nicer before writing it to...

Django, automatic HTML "sanitizing" when putting HTML to template, how to stop it?

I'm kind of confused by this because it seems that Django templates have optional HTML filters but this seems to be happening automatically.. I am making this demo app where the user will do an action that calls a python script which retrieves a url, I then want to display this in a new window.. its all fine except when the display comes...

Cleaning an HTML string saving some tags and attributes.

Hello everybody. After I implemented my sanitize functions (according to requested specifics), my boss decided to change the accepted input. Now he wants to keep some specific tag and its attributes. I suggested to implement a BBCode-like language which is safer imho but he doesn't want to because it would be to much work. This time I w...