NAME¶
HTMLDocument::WhiteList - Elements to allow in String->HTML conversion
SYNOPSIS¶
HTMLDocument::WhiteList< >
-
- = UltraSafe()
-
- | InlineOnly(HTMLDocument::ConversionSafety sa)
-
- | AllElements(HTMLDocument::ConversionSafety sb)
-
- | Unchecked()
-
- | CustomWhitelist(Dict::Dict<String, [String]>
whitelist)
DESCRIPTION¶
When converting from a String to HTML, rather than simply adding a String to an
existing element where it will be escaped, the elements allowed in the
conversion should depend on how trustworthy the String is. Generally, any
unauthenticated user-supplied data should be treated extremely cautiously, and
even authenticated user-supplied data should be treated with some caution in
case the authentication is broken.
Use of String to HTML conversion allows potential for
cross-site
scripting attacks against your application, especially if the allowed
element list is generous.
-
- - UltraSafe - removes all tags and attributes. This differs from
adding the string directly as text, which escapes them. This conversion
method is immune to cross-site scripting.
-
- - InlineOnly - allows only inline elements.
-
- - AllElements - allows inline and block elements.
-
- - Unchecked - allows all tags and attributes. Use this only on
completely trusted data, as it allows trivial cross-site scripting attacks
if an attacker can control the String being converted.
-
- - CustomWhitelist - create your own whitelist of elements. The
whitelist is a Dict(3kaya) with the allowed elements as the key and
the list of allowed attributes for that element as the value. The string
"*" will match any element as the key, or any attribute as an
item in the value list, which is generally not a good idea for anything
other than completely trusted data.
For the
InlineOnly and
AllElements options, you also need to
select a
HTMLDocument.ConversionSafety (3kaya)
AUTHORS¶
Kaya standard library by Edwin Brady, Chris Morris and others
(kaya@kayalang.org). For further information see
http://kayalang.org/
LICENSE¶
The Kaya standard library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public License (version
2.1 or any later version) as published by the Free Software Foundation.
HTMLDocument.ConversionSafety (3kaya)
HTMLDocument.readFromString (3kaya)
