Elements to allow in string-html conversion
HTMLDocument::WhiteList< >
= UltraSafe()
| InlineOnly(HTMLDocument::ConversionSafety sa)
| AllElements(HTMLDocument::ConversionSafety sb)
| Unchecked()
| CustomWhitelist(Dict::Dict<String, [String]> whitelist)
When converting from a String to HTML, rather than simply adding a String to an existing element where it will be escaped, the elements allowed in the conversion should depend on how trustworthy the String is. Generally, any unauthenticated user-supplied data should be treated extremely cautiously, and even authenticated user-supplied data should be treated with some caution in case the authentication is broken.
Use of String to HTML conversion allows potential for
cross-site scripting attacks
against your application, especially if the allowed element list is generous.
- UltraSafe - removes all tags and attributes. This differs from adding the string directly as text, which escapes them. This conversion method is immune to cross-site scripting.
- InlineOnly - allows only inline elements.
- AllElements - allows inline and block elements.
- Unchecked - allows all tags and attributes. Use this only on completely trusted data, as it allows trivial cross-site scripting attacks if an attacker can control the String being converted.
- CustomWhitelist - create your own whitelist of elements. The whitelist is a Dict(3kaya) with the allowed elements as the key and the list of allowed attributes for that element as the value. The string "*" will match any element as the key, or any attribute as an item in the value list, which is generally not a good idea for anything other than completely trusted data.
For the InlineOnly and AllElements options, you also need to select a HTMLDocument.ConversionSafety (3kaya)
Kaya standard library by Edwin Brady, Chris Morris and others ([email protected]). For further information see http://kayalang.org/
The Kaya standard library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License (version 2.1 or any later version) as published by the Free Software Foundation.
HTMLDocument.ConversionSafety (3kaya)
HTMLDocument.readFromString (3kaya)