SYNOPSIS

HTMLDocument::WhiteList< >

  • = UltraSafe()

  • | InlineOnly(HTMLDocument::ConversionSafety sa)

  • | AllElements(HTMLDocument::ConversionSafety sb)

  • | Unchecked()

  • | CustomWhitelist(Dict::Dict<String, [String]> whitelist)

DESCRIPTION

When converting from a String to HTML, rather than simply adding a String to an existing element where it will be escaped, the elements allowed in the conversion should depend on how trustworthy the String is. Generally, any unauthenticated user-supplied data should be treated extremely cautiously, and even authenticated user-supplied data should be treated with some caution in case the authentication is broken.

Use of String to HTML conversion allows potential for

cross-site scripting attacks

against your application, especially if the allowed element list is generous.

  • - UltraSafe - removes all tags and attributes. This differs from adding the string directly as text, which escapes them. This conversion method is immune to cross-site scripting.

  • - InlineOnly - allows only inline elements.

  • - AllElements - allows inline and block elements.

  • - Unchecked - allows all tags and attributes. Use this only on completely trusted data, as it allows trivial cross-site scripting attacks if an attacker can control the String being converted.

  • - CustomWhitelist - create your own whitelist of elements. The whitelist is a Dict(3kaya) with the allowed elements as the key and the list of allowed attributes for that element as the value. The string "*" will match any element as the key, or any attribute as an item in the value list, which is generally not a good idea for anything other than completely trusted data.

For the InlineOnly and AllElements options, you also need to select a HTMLDocument.ConversionSafety (3kaya)

AUTHORS

Kaya standard library by Edwin Brady, Chris Morris and others ([email protected]). For further information see http://kayalang.org/

LICENSE

The Kaya standard library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License (version 2.1 or any later version) as published by the Free Software Foundation.

RELATED

HTMLDocument.ConversionSafety (3kaya)

HTMLDocument.readFromString (3kaya)