haskell/xss-sanitize
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix spelling

Browse Source
This commit is contained in:
Greg Weber 2010-10-02 16:44:55 -07:00
parent f2b4400472
commit 08c9329ab4
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -11,7 +11,7 @@ Detail
========
This is not escaping! Escaping html does prevents XSS attacks. Strings should be html escaped to show up properly and to prevent XSS attacks. However, escaping will ruin the display of the html.
This function removes any tags or attributes that are not in its white-list of. This may sound picky, but most html should make it through unchanged, making the proces unnoticeable to the user but giving us safe html.
This function removes any tags or attributes that are not in its white-list of. This may sound picky, but most html should make it through unchanged, making the process unnoticeable to the user but giving us safe html.
Integration
===========
@ -41,13 +41,13 @@ Ultimately this is where your security comes from, although I would tend to thin
Version 0.1 of the white list is from Pandoc. Probably that list is from an older version of (a wiki page containing a white list)[http://wiki.whatwg.org/wiki/Sanitization_rules]. Having some prior experience editing Wikipedia, I am a little wary of directly using a wiki for a purpose like this, although it does seem to be watched over.
Version >= 0.2 uses (the source code of html5lib)[http://code.google.com/p/html5lib/source/browse/python/html5lib/sanitizer.py]. as the source of the white list and my implementation reference. They do reference that wiki page as their source, but hopefully they are careful of when they import it into their code. I would definitely consider working with the maintatiners of html5lib, but it doesn't make sense to merge the projects because sanitization is just one aspect of html5lib (They have a parser also)
Version >= 0.2 uses (the source code of html5lib)[http://code.google.com/p/html5lib/source/browse/python/html5lib/sanitizer.py]. as the source of the white list and my implementation reference. They do reference that wiki page as their source, but hopefully they are careful of when they import it into their code. I would definitely consider working with the maintainers of html5lib, but it doesn't make sense to merge the projects because sanitization is just one aspect of html5lib (They have a parser also)
If anyone knows of better sources or thinks a particular tag/attribute/value may be vulerable, please let me know.
If anyone knows of better sources or thinks a particular tag/attribute/value may be vulnerable, please let me know.
attributes data and style
-------------------------
The href attribute is white listed, but its value must pass through a white list also. This is how the data and style attributes should work also. However, this was never implemented in Pandoc, and the html5lib code is a little complicated and relies on regular expressions that I don't understand. So for now thes attributes are not on the white list.
The href attribute is white listed, but its value must pass through a white list also. This is how the data and style attributes should work also. However, this was never implemented in Pandoc, and the html5lib code is a little complicated and relies on regular expressions that I don't understand. So for now these attributes are not on the white list.
svg and mathml
--------------