.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.29)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{
.    if \nF \{
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\" ========================================================================
.\"
.IX Title "HTML::Defang 3pm"
.TH HTML::Defang 3pm "2015-12-27" "perl v5.22.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
HTML::Defang \- Cleans HTML as well as CSS of scripting and other executable contents, and neutralises XSS attacks.
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\&  my $InputHtml = "<html><body></body></html>";
\&
\&  my $Defang = HTML::Defang\->new(
\&    context => $Self,
\&    fix_mismatched_tags => 1,
\&    tags_to_callback => [ br embed img ],
\&    tags_callback => \e&DefangTagsCallback,
\&    url_callback => \e&DefangUrlCallback,
\&    css_callback => \e&DefangCssCallback,
\&    attribs_to_callback => [ qw(border src) ],
\&    attribs_callback => \e&DefangAttribsCallback
\&  );
\&
\&  my $SanitizedHtml = $Defang\->defang($InputHtml);
\&
\&  # Callback for custom handling specific HTML tags  
\&  sub DefangTagsCallback {
\&    my ($Self, $Defang, $OpenAngle, $lcTag, $IsEndTag, $AttributeHash, $CloseAngle, $HtmlR, $OutR) = @_;
\&
\&    # Explicitly defang this tag, eventhough safe
\&    return DEFANG_ALWAYS if $lcTag eq \*(Aqbr\*(Aq;
\&
\&    # Explicitly whitelist this tag, eventhough unsafe
\&    return DEFANG_NONE if $lcTag eq \*(Aqembed\*(Aq;
\&
\&    # I am not sure what to do with this tag, so process as HTML::Defang normally would
\&    return DEFANG_DEFAULT if $lcTag eq \*(Aqimg\*(Aq;
\&  }
\&
\&  # Callback for custom handling URLs in HTML attributes as well as style tag/attribute declarations
\&  sub DefangUrlCallback {
\&    my ($Self, $Defang, $lcTag, $lcAttrKey, $AttrValR, $AttributeHash, $HtmlR) = @_;
\&
\&    # Explicitly allow this URL in tag attributes or stylesheets
\&    return DEFANG_NONE if $$AttrValR =~ /safesite.com/i;
\&
\&    # Explicitly defang this URL in tag attributes or stylesheets
\&    return DEFANG_ALWAYS if $$AttrValR =~ /evilsite.com/i;
\&  }
\&
\&  # Callback for custom handling style tags/attributes
\&  sub DefangCssCallback {
\&    my ($Self, $Defang, $Selectors, $SelectorRules, $Tag, $IsAttr) = @_;
\&    my $i = 0;
\&    foreach (@$Selectors) {
\&      my $SelectorRule = $$SelectorRules[$i];
\&      foreach my $KeyValueRules (@$SelectorRule) {
\&        foreach my $KeyValueRule (@$KeyValueRules) {
\&          my ($Key, $Value) = @$KeyValueRule;
\&
\&          # Comment out any \*(Aq!important\*(Aq directive
\&          $$KeyValueRule[2] = DEFANG_ALWAYS if $Value =~ \*(Aq!important\*(Aq;
\&
\&          # Comment out any \*(Aqposition=fixed;\*(Aq declaration
\&          $$KeyValueRule[2] = DEFANG_ALWAYS if $Key =~ \*(Aqposition\*(Aq && $Value =~ \*(Aqfixed\*(Aq;
\&        }
\&      }
\&      $i++;
\&    }
\&  }
\&
\&  # Callback for custom handling HTML tag attributes
\&  sub DefangAttribsCallback {
\&    my ($Self, $Defang, $lcTag, $lcAttrKey, $AttrValR, $HtmlR) = @_;
\&
\&    # Change all \*(Aqborder\*(Aq attribute values to zero.
\&    $$AttrValR = \*(Aq0\*(Aq if $lcAttrKey eq \*(Aqborder\*(Aq;
\&
\&    # Defang all \*(Aqsrc\*(Aq attributes
\&    return DEFANG_ALWAYS if $lcAttrKey eq \*(Aqsrc\*(Aq;
\&
\&    return DEFANG_NONE;
\&  }
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This module accepts an input \s-1HTML\s0 and/or \s-1CSS\s0 string and removes any executable code including scripting, embedded objects, applets, etc., and neutralises any \s-1XSS\s0 attacks. A whitelist based approach is used which means only \s-1HTML\s0 known to be safe is allowed through.
.PP
HTML::Defang uses a custom html tag parser. The parser has been designed and tested to work with nasty real world html and to try and emulate as close as possible what browsers actually do with strange looking constructs. The test suite has been built based on examples from a range of sources such as http://ha.ckers.org/xss.html and http://imfo.ru/csstest/css_hacks/import.php to ensure that as many as possible \s-1XSS\s0 attack scenarios have been dealt with.
.PP
HTML::Defang can make callbacks to client code when it encounters the following:
.IP "\(bu" 4
When a specified tag is parsed
.IP "\(bu" 4
When a specified attribute is parsed
.IP "\(bu" 4
When a \s-1URL\s0 is parsed as part of an \s-1HTML\s0 attribute, or \s-1CSS\s0 property value.
.IP "\(bu" 4
When style data is parsed, as part of an \s-1HTML\s0 style attribute, or as part of an \s-1HTML\s0 <style> tag.
.PP
The callbacks include details about the current tag/attribute that is being parsed, and also gives a scalar reference to the input \s-1HTML.\s0 Querying \fIpos()\fR on the input \s-1HTML\s0 should indicate where the module is with parsing. This gives the client code flexibility in working with HTML::Defang.
.PP
HTML::Defang can defang whole tags, any attribute in a tag, any \s-1URL\s0 that appear as an attribute or style property, or any \s-1CSS\s0 declaration in a declaration block in a style rule. This helps to precisely block the most specific unwanted elements in the contents(for example, block just an offending attribute instead of the whole tag), while retaining any safe \s-1HTML/CSS.\s0
.SH "CONSTRUCTOR"
.IX Header "CONSTRUCTOR"
.IP "\fIHTML::Defang\->new(%Options)\fR" 4
.IX Item "HTML::Defang->new(%Options)"
Constructs a new HTML::Defang object. The following options are supported:
.RS 4
.IP "\fBOptions\fR" 4
.IX Item "Options"
.RS 4
.PD 0
.IP "\fBtags_to_callback\fR" 4
.IX Item "tags_to_callback"
.PD
Array reference of tags for which a call back should be made. If a tag in this array is parsed, the subroutine \fItags_callback()\fR is invoked.
.IP "\fBattribs_to_callback\fR" 4
.IX Item "attribs_to_callback"
Array reference of tag attributes for which a call back should be made. If an attribute in this array is parsed, the subroutine \fIattribs_callback()\fR is invoked.
.IP "\fBtags_callback\fR" 4
.IX Item "tags_callback"
Subroutine reference to be invoked when a tag listed in @$tags_to_callback is parsed.
.IP "\fBattribs_callback\fR" 4
.IX Item "attribs_callback"
Subroutine reference to be invoked when an attribute listed in @$attribs_to_callback is parsed.
.IP "\fBurl_callback\fR" 4
.IX Item "url_callback"
Subroutine reference to be invoked when a \s-1URL\s0 is detected in an \s-1HTML\s0 tag attribute or a \s-1CSS\s0 property.
.IP "\fBcss_callback\fR" 4
.IX Item "css_callback"
Subroutine reference to be invoked when \s-1CSS\s0 data is found either as the contents of a 'style' attribute in an \s-1HTML\s0 tag, or as the contents of a <style> \s-1HTML\s0 tag.
.IP "\fBfix_mismatched_tags\fR" 4
.IX Item "fix_mismatched_tags"
This property, if set, fixes mismatched tags in the \s-1HTML\s0 input. By default, tags present in the default \f(CW%mismatched_tags_to_fix\fR hash are fixed. This set of tags can be overridden by passing in an array reference \f(CW$mismatched_tags_to_fix\fR to the constructor. Any opened tags in the set are automatically closed if no corresponding closing tag is found. If an unbalanced closing tag is found, that is commented out.
.IP "\fBmismatched_tags_to_fix\fR" 4
.IX Item "mismatched_tags_to_fix"
Array reference of tags for which the code would check for matching opening and closing tags. See the property \f(CW$fix_mismatched_tags\fR.
.IP "\fBcontext\fR" 4
.IX Item "context"
You can pass an arbitrary scalar as a 'context' value that's then passed as the first parameter to all callback functions. Most commonly this is something like '$Self'
.IP "\fBallow_double_defang\fR" 4
.IX Item "allow_double_defang"
If this is true, then tag names and attribute names which already begin
with the defang string (\*(L"defang_\*(R" by default) will have an additional
copy of the defang string prepended if they are flagged to be defanged
by the return value of a callback, or if the tag or attribute name
is unknown.
.Sp
The default is to assume that tag names and attribute names beginning 
with the defang string are already made safe, and need no further
modification, even if they are flagged to be defanged by the
return value of a callback.  Any tag or attribute modifications made
directly by a callback are still performed.
.IP "\fBDebug\fR" 4
.IX Item "Debug"
If set, prints debugging output.
.RE
.RS 4
.RE
.RE
.RS 4
.RE
.SH "CALLBACK METHODS"
.IX Header "CALLBACK METHODS"
.IP "\fB\s-1COMMON PARAMETERS\s0\fR" 4
.IX Item "COMMON PARAMETERS"
A number of the callbacks share the same parameters. These common parameters are documented here. Certain variables may have specific meanings in certain callbacks, so be sure to check the documentation for that method first before referring this section.
.RS 4
.ie n .IP "\fI\fI$context\fI\fR" 4
.el .IP "\fI\f(CI$context\fI\fR" 4
.IX Item "$context"
You can pass an arbitrary scalar as a 'context' value that's then passed as the first parameter to all callback functions. Most commonly this is something like '$Self'
.ie n .IP "\fI\fI$Defang\fI\fR" 4
.el .IP "\fI\f(CI$Defang\fI\fR" 4
.IX Item "$Defang"
Current HTML::Defang instance
.ie n .IP "\fI\fI$OpenAngle\fI\fR" 4
.el .IP "\fI\f(CI$OpenAngle\fI\fR" 4
.IX Item "$OpenAngle"
Opening angle(<) sign of the current tag.
.ie n .IP "\fI\fI$lcTag\fI\fR" 4
.el .IP "\fI\f(CI$lcTag\fI\fR" 4
.IX Item "$lcTag"
Lower case version of the \s-1HTML\s0 tag that is currently being parsed.
.ie n .IP "\fI\fI$IsEndTag\fI\fR" 4
.el .IP "\fI\f(CI$IsEndTag\fI\fR" 4
.IX Item "$IsEndTag"
Has the value '/' if the current tag is a closing tag.
.ie n .IP "\fI\fI$AttributeHash\fI\fR" 4
.el .IP "\fI\f(CI$AttributeHash\fI\fR" 4
.IX Item "$AttributeHash"
A reference to a hash containing the attributes of the current tag and
their values. Each value is a scalar reference to the value, rather
than just a scalar value. You can add attributes (remember to make it a
scalar ref, eg \f(CW$AttributeHash\fR{\*(L"newattr\*(R"} = \e\*(L"newval\*(R"), delete attributes,
or modify attribute values in this hash, and any changes you make will
be incorporated into the output \s-1HTML\s0 stream.
.Sp
The attribute values will have any entity references decoded before
being passed to you, and any unsafe values we be re-encoded back into
the \s-1HTML\s0 stream.
.Sp
So for instance, the tag:
.Sp
.Vb 1
\&  <div title="&lt;&quot;Hi there &#x003C;">
.Ve
.Sp
Will have the attribute hash:
.Sp
.Vb 1
\&  { title => \eq[<"Hi there <] }
.Ve
.Sp
And will be turned back into the \s-1HTML\s0 on output:
.Sp
.Vb 1
\&  <div title="&lt;&quot;Hi there &lt;">
.Ve
.ie n .IP "\fI\fI$CloseAngle\fI\fR" 4
.el .IP "\fI\f(CI$CloseAngle\fI\fR" 4
.IX Item "$CloseAngle"
Anything after the end of last attribute including the closing \s-1HTML\s0 angle(>)
.ie n .IP "\fI\fI$HtmlR\fI\fR" 4
.el .IP "\fI\f(CI$HtmlR\fI\fR" 4
.IX Item "$HtmlR"
A scalar reference to the input \s-1HTML.\s0 The input \s-1HTML\s0 is parsed using
m/\eG$SomeRegex/c constructs, so to continue from where HTML:Defang left,
clients can use m/\eG$SomeRegex/c for further processing on the input. This
will resume parsing from where HTML::Defang left. One can also use the
\&\fIpos()\fR function to determine where HTML::Defang left off. This combined
with the \fIadd_to_output()\fR method should give reasonable flexibility for
the client to process the input.
.ie n .IP "\fI\fI$OutR\fI\fR" 4
.el .IP "\fI\f(CI$OutR\fI\fR" 4
.IX Item "$OutR"
A scalar reference to the processed output \s-1HTML\s0 so far.
.RE
.RS 4
.RE
.ie n .IP "\fItags_callback($context, \fI$Defang\fI, \f(CI$OpenAngle\fI, \f(CI$lcTag\fI, \f(CI$IsEndTag\fI, \f(CI$AttributeHash\fI, \f(CI$CloseAngle\fI, \f(CI$HtmlR\fI, \f(CI$OutR\fI)\fR" 4
.el .IP "\fItags_callback($context, \f(CI$Defang\fI, \f(CI$OpenAngle\fI, \f(CI$lcTag\fI, \f(CI$IsEndTag\fI, \f(CI$AttributeHash\fI, \f(CI$CloseAngle\fI, \f(CI$HtmlR\fI, \f(CI$OutR\fI)\fR" 4
.IX Item "tags_callback($context, $Defang, $OpenAngle, $lcTag, $IsEndTag, $AttributeHash, $CloseAngle, $HtmlR, $OutR)"
If \f(CW$Defang\fR\->{tags_callback} exists, and HTML::Defang has parsed a tag preset in \f(CW$Defang\fR\->{tags_to_callback}, the above callback is made to the client code. The return value of this method determines whether the tag is defanged or not. More details below.
.RS 4
.IP "\fBReturn values\fR" 4
.IX Item "Return values"
.RS 4
.PD 0
.IP "\s-1DEFANG_NONE\s0" 4
.IX Item "DEFANG_NONE"
.PD
The current tag will not be defanged.
.IP "\s-1DEFANG_ALWAYS\s0" 4
.IX Item "DEFANG_ALWAYS"
The current tag will be defanged.
.IP "\s-1DEFANG_DEFAULT\s0" 4
.IX Item "DEFANG_DEFAULT"
The current tag will be processed normally by HTML:Defang as if there was no callback method specified.
.RE
.RS 4
.RE
.RE
.RS 4
.RE
.ie n .IP "\fIattribs_callback($context, \fI$Defang\fI, \f(CI$lcTag\fI, \f(CI$lcAttrKey\fI, \f(CI$AttrVal\fI, \f(CI$HtmlR\fI, \f(CI$OutR\fI)\fR" 4
.el .IP "\fIattribs_callback($context, \f(CI$Defang\fI, \f(CI$lcTag\fI, \f(CI$lcAttrKey\fI, \f(CI$AttrVal\fI, \f(CI$HtmlR\fI, \f(CI$OutR\fI)\fR" 4
.IX Item "attribs_callback($context, $Defang, $lcTag, $lcAttrKey, $AttrVal, $HtmlR, $OutR)"
If \f(CW$Defang\fR\->{attribs_callback} exists, and HTML::Defang has parsed an attribute present in \f(CW$Defang\fR\->{attribs_to_callback}, the above callback is made to the client code. The return value of this method determines whether the attribute is defanged or not. More details below.
.RS 4
.IP "\fBMethod parameters\fR" 4
.IX Item "Method parameters"
.RS 4
.PD 0
.ie n .IP "\fI\fI$lcAttrKey\fI\fR" 4
.el .IP "\fI\f(CI$lcAttrKey\fI\fR" 4
.IX Item "$lcAttrKey"
.PD
Lower case version of the \s-1HTML\s0 attribute that is currently being parsed.
.ie n .IP "\fI\fI$AttrVal\fI\fR" 4
.el .IP "\fI\f(CI$AttrVal\fI\fR" 4
.IX Item "$AttrVal"
Reference to the \s-1HTML\s0 attribute value that is currently being parsed.
.Sp
See \f(CW$AttributeHash\fR for details of decoding.
.RE
.RS 4
.RE
.IP "\fBReturn values\fR" 4
.IX Item "Return values"
.RS 4
.PD 0
.IP "\s-1DEFANG_NONE\s0" 4
.IX Item "DEFANG_NONE"
.PD
The current attribute will not be defanged.
.IP "\s-1DEFANG_ALWAYS\s0" 4
.IX Item "DEFANG_ALWAYS"
The current attribute will be defanged.
.IP "\s-1DEFANG_DEFAULT\s0" 4
.IX Item "DEFANG_DEFAULT"
The current attribute will be processed normally by HTML:Defang as if there was no callback method specified.
.RE
.RS 4
.RE
.RE
.RS 4
.RE
.ie n .IP "\fIurl_callback($context, \fI$Defang\fI, \f(CI$lcTag\fI, \f(CI$lcAttrKey\fI, \f(CI$AttrVal\fI, \f(CI$AttributeHash\fI, \f(CI$HtmlR\fI, \f(CI$OutR\fI)\fR" 4
.el .IP "\fIurl_callback($context, \f(CI$Defang\fI, \f(CI$lcTag\fI, \f(CI$lcAttrKey\fI, \f(CI$AttrVal\fI, \f(CI$AttributeHash\fI, \f(CI$HtmlR\fI, \f(CI$OutR\fI)\fR" 4
.IX Item "url_callback($context, $Defang, $lcTag, $lcAttrKey, $AttrVal, $AttributeHash, $HtmlR, $OutR)"
If \f(CW$Defang\fR\->{url_callback} exists, and HTML::Defang has parsed a \s-1URL,\s0 the above callback is made to the client code. The return value of this method determines whether the attribute containing the \s-1URL\s0 is defanged or not. \s-1URL\s0 callbacks can be made from <style> tags as well style attributes, in which case the particular style declaration will be commented out. More details below.
.RS 4
.IP "\fBMethod parameters\fR" 4
.IX Item "Method parameters"
.RS 4
.PD 0
.ie n .IP "\fI\fI$lcAttrKey\fI\fR" 4
.el .IP "\fI\f(CI$lcAttrKey\fI\fR" 4
.IX Item "$lcAttrKey"
.PD
Lower case version of the \s-1HTML\s0 attribute that is currently being parsed. However if this callback is made as a result of parsing a \s-1URL\s0 in a style attribute, \f(CW$lcAttrKey\fR will be set to the string \fIstyle\fR, or will be set to \fIundef\fR if this callback is made as a result of parsing a \s-1URL\s0 inside a style tag.
.ie n .IP "\fI\fI$AttrVal\fI\fR" 4
.el .IP "\fI\f(CI$AttrVal\fI\fR" 4
.IX Item "$AttrVal"
Reference to the \s-1URL\s0 value that is currently being parsed.
.ie n .IP "\fI\fI$AttributeHash\fI\fR" 4
.el .IP "\fI\f(CI$AttributeHash\fI\fR" 4
.IX Item "$AttributeHash"
A reference to a hash containing the attributes of the current tag and their values. Each value is a scalar reference to the value, 
rather than just a scalar value. You can add attributes (remember to make it a scalar ref, eg \f(CW$AttributeHash\fR{\*(L"newattr\*(R"} = \e\*(L"newval\*(R"), delete attributes, or modify attribute values in this hash, and any changes you make will be incorporated into the output \s-1HTML\s0 stream. Will be set to \fIundef\fR if the callback is made due to \s-1URL\s0 in a <style> tag or attribute.
.RE
.RS 4
.RE
.IP "\fBReturn values\fR" 4
.IX Item "Return values"
.RS 4
.PD 0
.IP "\s-1DEFANG_NONE\s0" 4
.IX Item "DEFANG_NONE"
.PD
The current \s-1URL\s0 will not be defanged.
.IP "\s-1DEFANG_ALWAYS\s0" 4
.IX Item "DEFANG_ALWAYS"
The current \s-1URL\s0 will be defanged.
.IP "\s-1DEFANG_DEFAULT\s0" 4
.IX Item "DEFANG_DEFAULT"
The current \s-1URL\s0 will be processed normally by HTML:Defang as if there was no callback method specified.
.RE
.RS 4
.RE
.RE
.RS 4
.RE
.ie n .IP "\fIcss_callback($context, \fI$Defang\fI, \f(CI$Selectors\fI, \f(CI$SelectorRules\fI, \f(CI$lcTag\fI, \f(CI$IsAttr\fI, \f(CI$OutR\fI)\fR" 4
.el .IP "\fIcss_callback($context, \f(CI$Defang\fI, \f(CI$Selectors\fI, \f(CI$SelectorRules\fI, \f(CI$lcTag\fI, \f(CI$IsAttr\fI, \f(CI$OutR\fI)\fR" 4
.IX Item "css_callback($context, $Defang, $Selectors, $SelectorRules, $lcTag, $IsAttr, $OutR)"
If \f(CW$Defang\fR\->{css_callback} exists, and HTML::Defang has parsed a <style> tag or style attribtue, the above callback is made to the client code. The return value of this method determines whether a particular declaration in the style rules is defanged or not. More details below.
.RS 4
.IP "\fBMethod parameters\fR" 4
.IX Item "Method parameters"
.RS 4
.PD 0
.ie n .IP "\fI\fI$Selectors\fI\fR" 4
.el .IP "\fI\f(CI$Selectors\fI\fR" 4
.IX Item "$Selectors"
.PD
Reference to an array containing the selectors in a style tag or attribute.
.ie n .IP "\fI\fI$SelectorRules\fI\fR" 4
.el .IP "\fI\f(CI$SelectorRules\fI\fR" 4
.IX Item "$SelectorRules"
Reference to an array containing the style declaration blocks of all selectors in a style tag or attribute. Consider the below \s-1CSS:\s0
.Sp
.Vb 2
\&  a { b:c; d:e}
\&  j { k:l; m:n}
.Ve
.Sp
The declaration blocks will get parsed into the following data structure:
.Sp
.Vb 10
\&  [
\&    [
\&      [ "b", "c", DEFANG_DEFAULT ],
\&      [ "d", "e", DEFANG_DEFAULT ]
\&    ],
\&    [
\&      [ "k", "l", DEFANG_DEFAULT ],
\&      [ "m", "n", DEFANG_DEFAULT ]
\&    ]
\&  ]
.Ve
.Sp
So, generally each property:value pair in a declaration is parsed into an array of the form
.Sp
.Vb 1
\&  ["property", "value", X]
.Ve
.Sp
where X can be \s-1DEFANG_NONE, DEFANG_ALWAYS\s0 or \s-1DEFANG_DEFAULT,\s0 and \s-1DEFANG_DEFAULT\s0 the default value. A client can manipulate this value to instruct HTML::Defang to defang this property:value pair.
.Sp
\&\s-1DEFANG_NONE \-\s0 Do not defang
.Sp
\&\s-1DEFANG_ALWAYS \-\s0 Defang the style:property value
.Sp
\&\s-1DEFANG_DEFAULT \-\s0 Process this as if there is no callback specified
.ie n .IP "\fI\fI$IsAttr\fI\fR" 4
.el .IP "\fI\f(CI$IsAttr\fI\fR" 4
.IX Item "$IsAttr"
True if the currently processed item is a style attribute. False if the currently processed item is a style tag.
.RE
.RS 4
.RE
.RE
.RS 4
.RE
.SH "METHODS"
.IX Header "METHODS"
.IP "\fB\s-1PUBLIC METHODS\s0\fR" 4
.IX Item "PUBLIC METHODS"
.RS 4
.PD 0
.IP "\fIdefang($InputHtml)\fR" 4
.IX Item "defang($InputHtml)"
.PD
Cleans up \f(CW$InputHtml\fR of any executable code including scripting, embedded objects, applets, etc., and defang any \s-1XSS\s0 attacks.
.RS 4
.IP "\fBMethod parameters\fR" 4
.IX Item "Method parameters"
.RS 4
.PD 0
.ie n .IP "\fI\fI$InputHtml\fI\fR" 4
.el .IP "\fI\f(CI$InputHtml\fI\fR" 4
.IX Item "$InputHtml"
.PD
The input \s-1HTML\s0 string that needs to be sanitized.
.RE
.RS 4
.RE
.RE
.RS 4
.Sp
Returns the cleaned \s-1HTML.\s0 If fix_mismatched_tags is set, any tags that appear in @$mismatched_tags_to_fix that are unbalanced are automatically commented or closed.
.RE
.IP "\fIadd_to_output($String)\fR" 4
.IX Item "add_to_output($String)"
Appends \f(CW$String\fR to the output after the current parsed tag ends. Can be used by client code in callback methods to add \s-1HTML\s0 text to the processed output. If the \s-1HTML\s0 text needs to be defanged, client code can safely call HTML::Defang\->\fIdefang()\fR recursively from within the callback.
.RS 4
.IP "\fBMethod parameters\fR" 4
.IX Item "Method parameters"
.RS 4
.PD 0
.ie n .IP "\fI\fI$String\fI\fR" 4
.el .IP "\fI\f(CI$String\fI\fR" 4
.IX Item "$String"
.PD
The string that is added after the current parsed tag ends.
.RE
.RS 4
.RE
.RE
.RS 4
.RE
.RE
.RS 4
.RE
.IP "\fB\s-1INTERNAL METHODS\s0\fR" 4
.IX Item "INTERNAL METHODS"
Generally these methods never need to be called by users of the class, because they'll be called internally as the appropriate tags are 
encountered, but they may be useful for some users in some cases.
.RS 4
.ie n .IP "\fIdefang_script($OutR, \fI$HtmlR\fI, \f(CI$TagOps\fI, \f(CI$OpenAngle\fI, \f(CI$IsEndTag\fI, \f(CI$Tag\fI, \f(CI$TagTrail\fI, \f(CI$Attributes\fI, \f(CI$CloseAngle\fI)\fR" 4
.el .IP "\fIdefang_script($OutR, \f(CI$HtmlR\fI, \f(CI$TagOps\fI, \f(CI$OpenAngle\fI, \f(CI$IsEndTag\fI, \f(CI$Tag\fI, \f(CI$TagTrail\fI, \f(CI$Attributes\fI, \f(CI$CloseAngle\fI)\fR" 4
.IX Item "defang_script($OutR, $HtmlR, $TagOps, $OpenAngle, $IsEndTag, $Tag, $TagTrail, $Attributes, $CloseAngle)"
This method is invoked when a <script> tag is parsed. Defangs the <script> opening tag, and any closing tag. Any scripting content is also commented out, so browsers don't display them.
.Sp
Returns 1 to indicate that the <script> tag must be defanged.
.RS 4
.IP "\fBMethod parameters\fR" 4
.IX Item "Method parameters"
.RS 4
.PD 0
.ie n .IP "\fI\fI$OutR\fI\fR" 4
.el .IP "\fI\f(CI$OutR\fI\fR" 4
.IX Item "$OutR"
.PD
A reference to the processed output \s-1HTML\s0 before the tag that is currently being parsed.
.ie n .IP "\fI\fI$HtmlR\fI\fR" 4
.el .IP "\fI\f(CI$HtmlR\fI\fR" 4
.IX Item "$HtmlR"
A scalar reference to the input \s-1HTML.\s0
.ie n .IP "\fI\fI$TagOps\fI\fR" 4
.el .IP "\fI\f(CI$TagOps\fI\fR" 4
.IX Item "$TagOps"
Indicates what operation should be done on a tag. Can be undefined, integer or code reference. Undefined indicates an unknown tag to HTML::Defang, 1 indicates a known safe tag, 0 indicates a known unsafe tag, and a code reference indicates a subroutine that should be called to parse the current tag. For example, <style> and <script> tags are parsed by dedicated subroutines.
.ie n .IP "\fI\fI$OpenAngle\fI\fR" 4
.el .IP "\fI\f(CI$OpenAngle\fI\fR" 4
.IX Item "$OpenAngle"
Opening angle(<) sign of the current tag.
.ie n .IP "\fI\fI$IsEndTag\fI\fR" 4
.el .IP "\fI\f(CI$IsEndTag\fI\fR" 4
.IX Item "$IsEndTag"
Has the value '/' if the current tag is a closing tag.
.ie n .IP "\fI\fI$Tag\fI\fR" 4
.el .IP "\fI\f(CI$Tag\fI\fR" 4
.IX Item "$Tag"
The \s-1HTML\s0 tag that is currently being parsed.
.ie n .IP "\fI\fI$TagTrail\fI\fR" 4
.el .IP "\fI\f(CI$TagTrail\fI\fR" 4
.IX Item "$TagTrail"
Any space after the tag, but before attributes.
.ie n .IP "\fI\fI$Attributes\fI\fR" 4
.el .IP "\fI\f(CI$Attributes\fI\fR" 4
.IX Item "$Attributes"
A reference to an array of the attributes and their values, including any surrouding spaces. Each element of the array is added by 'push' calls like below.
.Sp
.Vb 1
\&  push @$Attributes, [ $AttributeName, $SpaceBeforeEquals, $EqualsAndSubsequentSpace, $QuoteChar, $AttributeValue, $QuoteChar, $SpaceAfterAtributeValue ];
.Ve
.ie n .IP "\fI\fI$CloseAngle\fI\fR" 4
.el .IP "\fI\f(CI$CloseAngle\fI\fR" 4
.IX Item "$CloseAngle"
Anything after the end of last attribute including the closing \s-1HTML\s0 angle(>)
.RE
.RS 4
.RE
.RE
.RS 4
.RE
.ie n .IP "\fIdefang_style($OutR, \fI$HtmlR\fI, \f(CI$TagOps\fI, \f(CI$OpenAngle\fI, \f(CI$IsEndTag\fI, \f(CI$Tag\fI, \f(CI$TagTrail\fI, \f(CI$Attributes\fI, \f(CI$CloseAngle\fI, \f(CI$IsAttr\fI)\fR" 4
.el .IP "\fIdefang_style($OutR, \f(CI$HtmlR\fI, \f(CI$TagOps\fI, \f(CI$OpenAngle\fI, \f(CI$IsEndTag\fI, \f(CI$Tag\fI, \f(CI$TagTrail\fI, \f(CI$Attributes\fI, \f(CI$CloseAngle\fI, \f(CI$IsAttr\fI)\fR" 4
.IX Item "defang_style($OutR, $HtmlR, $TagOps, $OpenAngle, $IsEndTag, $Tag, $TagTrail, $Attributes, $CloseAngle, $IsAttr)"
Builds a list of selectors and declarations from \s-1HTML\s0 style tags as well as style attributes in \s-1HTML\s0 tags and calls \fIdefang_stylerule()\fR to do the actual defanging.
.Sp
Returns 0 to indicate that style tags must not be defanged.
.RS 4
.IP "\fBMethod parameters\fR" 4
.IX Item "Method parameters"
.RS 4
.PD 0
.ie n .IP "\fI\fI$IsAttr\fI\fR" 4
.el .IP "\fI\f(CI$IsAttr\fI\fR" 4
.IX Item "$IsAttr"
.PD
Whether we are currently parsing a style attribute or style tag. \f(CW$IsAttr\fR will be true if we are currently parsing a style attribute.
.RE
.RS 4
.Sp
For a description of other parameters, see documentation of \fIdefang_script()\fR method
.RE
.RE
.RS 4
.RE
.IP "\fIcleanup_style($StyleString)\fR" 4
.IX Item "cleanup_style($StyleString)"
Helper function to clean up \s-1CSS\s0 data. This function directly operates on the input string without taking a copy.
.RS 4
.IP "\fBMethod parameters\fR" 4
.IX Item "Method parameters"
.RS 4
.PD 0
.ie n .IP "\fI\fI$StyleString\fI\fR" 4
.el .IP "\fI\f(CI$StyleString\fI\fR" 4
.IX Item "$StyleString"
.PD
The input style string that is cleaned.
.RE
.RS 4
.RE
.RE
.RS 4
.RE
.ie n .IP "\fIdefang_stylerule($SelectorsIn, \fI$StyleRules\fI, \f(CI$lcTag\fI, \f(CI$IsAttr\fI, \f(CI$HtmlR\fI, \f(CI$OutR\fI)\fR" 4
.el .IP "\fIdefang_stylerule($SelectorsIn, \f(CI$StyleRules\fI, \f(CI$lcTag\fI, \f(CI$IsAttr\fI, \f(CI$HtmlR\fI, \f(CI$OutR\fI)\fR" 4
.IX Item "defang_stylerule($SelectorsIn, $StyleRules, $lcTag, $IsAttr, $HtmlR, $OutR)"
Defangs style data.
.RS 4
.IP "\fBMethod parameters\fR" 4
.IX Item "Method parameters"
.RS 4
.PD 0
.ie n .IP "\fI\fI$SelectorsIn\fI\fR" 4
.el .IP "\fI\f(CI$SelectorsIn\fI\fR" 4
.IX Item "$SelectorsIn"
.PD
An array reference to the selectors in the style tag/attribute contents.
.ie n .IP "\fI\fI$StyleRules\fI\fR" 4
.el .IP "\fI\f(CI$StyleRules\fI\fR" 4
.IX Item "$StyleRules"
An array reference to the declaration blocks in the style tag/attribute contents.
.ie n .IP "\fI\fI$lcTag\fI\fR" 4
.el .IP "\fI\f(CI$lcTag\fI\fR" 4
.IX Item "$lcTag"
Lower case version of the \s-1HTML\s0 tag that is currently being parsed.
.ie n .IP "\fI\fI$IsAttr\fI\fR" 4
.el .IP "\fI\f(CI$IsAttr\fI\fR" 4
.IX Item "$IsAttr"
Whether we are currently parsing a style attribute or style tag. \f(CW$IsAttr\fR will be true if we are currently parsing a style attribute.
.ie n .IP "\fI\fI$HtmlR\fI\fR" 4
.el .IP "\fI\f(CI$HtmlR\fI\fR" 4
.IX Item "$HtmlR"
A scalar reference to the input \s-1HTML.\s0
.ie n .IP "\fI\fI$OutR\fI\fR" 4
.el .IP "\fI\f(CI$OutR\fI\fR" 4
.IX Item "$OutR"
A scalar reference to the processed output so far.
.RE
.RS 4
.RE
.RE
.RS 4
.RE
.ie n .IP "\fIdefang_attributes($OutR, \fI$HtmlR\fI, \f(CI$TagOps\fI, \f(CI$OpenAngle\fI, \f(CI$IsEndTag\fI, \f(CI$Tag\fI, \f(CI$TagTrail\fI, \f(CI$Attributes\fI, \f(CI$CloseAngle\fI)\fR" 4
.el .IP "\fIdefang_attributes($OutR, \f(CI$HtmlR\fI, \f(CI$TagOps\fI, \f(CI$OpenAngle\fI, \f(CI$IsEndTag\fI, \f(CI$Tag\fI, \f(CI$TagTrail\fI, \f(CI$Attributes\fI, \f(CI$CloseAngle\fI)\fR" 4
.IX Item "defang_attributes($OutR, $HtmlR, $TagOps, $OpenAngle, $IsEndTag, $Tag, $TagTrail, $Attributes, $CloseAngle)"
Defangs attributes, defangs tags, does tag, attrib, css and url callbacks.
.RS 4
.IP "\fBMethod parameters\fR" 4
.IX Item "Method parameters"
For a description of the method parameters, see documentation of \fIdefang_script()\fR method
.RE
.RS 4
.RE
.IP "\fIcleanup_attribute($AttributeString)\fR" 4
.IX Item "cleanup_attribute($AttributeString)"
Helper function to cleanup attributes
.RS 4
.IP "\fBMethod parameters\fR" 4
.IX Item "Method parameters"
.RS 4
.PD 0
.ie n .IP "\fI\fI$AttributeString\fI\fR" 4
.el .IP "\fI\f(CI$AttributeString\fI\fR" 4
.IX Item "$AttributeString"
.PD
The value of the attribute.
.RE
.RS 4
.RE
.RE
.RS 4
.RE
.RE
.RS 4
.RE
.SH "SEE ALSO"
.IX Header "SEE ALSO"
<http://mailtools.anomy.net/>, <http://htmlcleaner.sourceforge.net/>, \fIHTML::StripScripts\fR, \fIHTML::Detoxifier\fR, \fIHTML::Sanitizer\fR, \fIHTML::Scrubber\fR
.SH "AUTHOR"
.IX Header "AUTHOR"
Kurian Jose Aerthail <cpan@kurianja.fastmail.fm>. Thanks to Rob Mueller <cpan@robm.fastmail.fm> for initial code, guidance and support and bug fixes.
.SH "COPYRIGHT AND LICENSE"
.IX Header "COPYRIGHT AND LICENSE"
Copyright (C) 2003\-2010 by Opera Software Australia Pty Ltd
.PP
This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself.