The conversion safety level for string-html conversion
HTMLDocument::ConversionSafety< >
= Safe()
| Unsafe()
| VeryUnsafe()
If you are using the InlineOnly or AllElements option for HTMLDocument.WhiteList (3kaya) you can choose various sets of elements and attributes to allow.
- Safe - a very restricted set of elements and attributes is allowed. Hyperlinks, images, forms, scripting, inline styles and so on are not allowed.
- Unsafe - As Safe , but hyperlinks, images and client-side scripting are allowed. Some cross-site scripting is possible as a result.
- VeryUnsafe - As Unsafe , but form controls are also allowed. This allows some potentially very nasty cross-site scripting attacks to be carried out with ease if an attacker is able to influence the String being converted, so use this with extreme caution.
None of these allow the direct addition of <script> elements or the onX event handlers.
Kaya standard library by Edwin Brady, Chris Morris and others ([email protected]). For further information see http://kayalang.org/
The Kaya standard library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License (version 2.1 or any later version) as published by the Free Software Foundation.
HTMLDocument.WhiteList (3kaya)
HTMLDocument.readFromString (3kaya)