• Stars
    star
    2,020
  • Rank 22,909 (Top 0.5 %)
  • Language
    HTML
  • License
    MIT License
  • Created almost 16 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Ruby HTML and CSS sanitizer.

Sanitize

Sanitize is an allowlist-based HTML and CSS sanitizer. It removes all HTML and/or CSS from a string except the elements, attributes, and properties you choose to allow.

Using a simple configuration syntax, you can tell Sanitize to allow certain HTML elements, certain attributes within those elements, and even certain URL protocols within attributes that contain URLs. You can also allow specific CSS properties, @ rules, and URL protocols in elements or attributes containing CSS. Any HTML or CSS that you don't explicitly allow will be removed.

Sanitize is based on the Nokogiri HTML5 parser, which parses HTML the same way modern browsers do, and Crass, which parses CSS the same way modern browsers do. As long as your allowlist config only allows safe markup and CSS, even the most malformed or malicious input will be transformed into safe output.

Gem Version Tests

Links

Installation

gem install sanitize

Quick Start

require 'sanitize'

# Clean up an HTML fragment using Sanitize's permissive but safe Relaxed config.
# This also sanitizes any CSS in `<style>` elements or `style` attributes.
Sanitize.fragment(html, Sanitize::Config::RELAXED)

# Clean up an HTML document using the Relaxed config.
Sanitize.document(html, Sanitize::Config::RELAXED)

# Clean up a standalone CSS stylesheet using the Relaxed config.
Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED)

# Clean up some CSS properties using the Relaxed config.
Sanitize::CSS.properties(css, Sanitize::Config::RELAXED)

Usage

Sanitize can sanitize the following types of input:

  • HTML fragments
  • HTML documents
  • CSS stylesheets inside HTML <style> elements
  • CSS properties inside HTML style attributes
  • Standalone CSS stylesheets
  • Standalone CSS properties

Warning

Sanitize cannot fully sanitize the contents of <math> or <svg> elements. MathML and SVG elements are foreign elements that don't follow normal HTML parsing rules.

By default, Sanitize will remove all MathML and SVG elements. If you add MathML or SVG elements to a custom element allowlist, you may create a security vulnerability in your application.

HTML Fragments

A fragment is a snippet of HTML that doesn't contain a root-level <html> element.

If you don't specify any configuration options, Sanitize will use its strictest settings by default, which means it will strip all HTML and leave only safe text behind.

html = '<b><a href="http://foo.com/">foo</a></b><img src="bar.jpg">'
Sanitize.fragment(html)
# => 'foo'

To keep certain elements, add them to the element allowlist.

Sanitize.fragment(html, :elements => ['b'])
# => '<b>foo</b>'

HTML Documents

When sanitizing a document, the <html> element must be allowlisted. You can also set :allow_doctype to true to allow well-formed document type definitions.

html = %[
  <!DOCTYPE html>
  <html>
    <b><a href="http://foo.com/">foo</a></b><img src="bar.jpg">
  </html>
]

Sanitize.document(html,
  :allow_doctype => true,
  :elements      => ['html']
)
# => %[
#      <!DOCTYPE html><html>foo
#
#      </html>
#    ]

CSS in HTML

To sanitize CSS in an HTML fragment or document, first allowlist the <style> element and/or the style attribute. Then allowlist the CSS properties, @ rules, and URL protocols you wish to allow. You can also choose whether to allow CSS comments or browser compatibility hacks.

html = %[
  <style>
    div { color: green; width: 1024px; }
  </style>

  <div style="height: 100px; width: 100px;"></div>
  <p>hello!</p>
]

Sanitize.fragment(html,
  :elements   => ['div', 'style'],
  :attributes => {'div' => ['style']},

  :css => {
    :properties => ['width']
  }
)
#=> %[
#   <style>
#     div {  width: 1024px; }
#   </style>
#
#   <div style=" width: 100px;"></div>
#   hello!
# ]

Standalone CSS

Sanitize will happily clean up a standalone CSS stylesheet or property string without needing to invoke the HTML parser.

css = %[
  @import url(evil.css);

  a { text-decoration: none; }

  a:hover {
    left: expression(alert('xss!'));
    text-decoration: underline;
  }
]

Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED)
# => %[
#
#
#
#   a { text-decoration: none; }
#
#   a:hover {
#
#     text-decoration: underline;
#   }
# ]

Sanitize::CSS.properties(%[
  left: expression(alert('xss!'));
  text-decoration: underline;
], Sanitize::Config::RELAXED)
# => %[
#
#   text-decoration: underline;
# ]

Configuration

In addition to the ultra-safe default settings, Sanitize comes with three other built-in configurations that you can use out of the box or adapt to meet your needs.

Sanitize::Config::RESTRICTED

Allows only very simple inline markup. No links, images, or block elements.

Sanitize.fragment(html, Sanitize::Config::RESTRICTED)
# => '<b>foo</b>'

Sanitize::Config::BASIC

Allows a variety of markup including formatting elements, links, and lists.

Images and tables are not allowed, links are limited to FTP, HTTP, HTTPS, and mailto protocols, and a rel="nofollow" attribute is added to all links to mitigate SEO spam.

Sanitize.fragment(html, Sanitize::Config::BASIC)
# => '<b><a href="http://foo.com/" rel="nofollow">foo</a></b>'

Sanitize::Config::RELAXED

Allows an even wider variety of markup, including images and tables, as well as safe CSS. Links are still limited to FTP, HTTP, HTTPS, and mailto protocols, while images are limited to HTTP and HTTPS. In this mode, rel="nofollow" is not added to links.

Sanitize.fragment(html, Sanitize::Config::RELAXED)
# => '<b><a href="http://foo.com/">foo</a></b><img src="bar.jpg">'

Custom Configuration

If the built-in modes don't meet your needs, you can easily specify a custom configuration:

Sanitize.fragment(html,
  :elements => ['a', 'span'],

  :attributes => {
    'a'    => ['href', 'title'],
    'span' => ['class']
  },

  :protocols => {
    'a' => {'href' => ['http', 'https', 'mailto']}
  }
)

You can also start with one of Sanitize's built-in configurations and then customize it to meet your needs.

The built-in configs are deeply frozen to prevent people from modifying them (either accidentally or maliciously). To customize a built-in config, create a new copy using Sanitize::Config.merge(), like so:

# Create a customized copy of the Basic config, adding <div> and <table> to the
# existing allowlisted elements.
Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
  :elements        => Sanitize::Config::BASIC[:elements] + ['div', 'table'],
  :remove_contents => true
))

The example above adds the <div> and <table> elements to a copy of the existing list of elements in Sanitize::Config::BASIC. If you instead want to completely overwrite the elements array with your own, you can omit the + operation:

# Overwrite :elements instead of creating a copy with new entries.
Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
  :elements        => ['div', 'table'],
  :remove_contents => true
))

Config Settings

:add_attributes (Hash)

Attributes to add to specific elements. If the attribute already exists, it will be replaced with the value specified here. Specify all element names and attributes in lowercase.

:add_attributes => {
  'a' => {'rel' => 'nofollow'}
}

:allow_comments (boolean)

Whether or not to allow HTML comments. Allowing comments is strongly discouraged, since IE allows script execution within conditional comments. The default value is false.

:allow_doctype (boolean)

Whether or not to allow well-formed HTML doctype declarations such as "" when sanitizing a document. This setting is ignored when sanitizing fragments. The default value is false.

:attributes (Hash)

Attributes to allow on specific elements. Specify all element names and attributes in lowercase.

:attributes => {
  'a'          => ['href', 'title'],
  'blockquote' => ['cite'],
  'img'        => ['alt', 'src', 'title']
}

If you'd like to allow certain attributes on all elements, use the symbol :all instead of an element name.

# Allow the class attribute on all elements.
:attributes => {
  :all => ['class'],
  'a'  => ['href', 'title']
}

To allow arbitrary HTML5 data-* attributes, use the symbol :data in place of an attribute name.

# Allow arbitrary HTML5 data-* attributes on <div> elements.
:attributes => {
  'div' => [:data]
}

:css (Hash)

Hash of the following CSS config settings to be used when sanitizing CSS (either standalone or embedded in HTML).

:css => :allow_comments (boolean)

Whether or not to allow CSS comments. The default value is false.

:css => :allow_hacks (boolean)

Whether or not to allow browser compatibility hacks such as the IE * and _ hacks. These are generally harmless, but technically result in invalid CSS. The default is false.

:css => :at_rules (Array or Set)

Names of CSS at-rules to allow that may not have associated blocks, such as import or charset. Names should be specified in lowercase.

:css => :at_rules_with_properties (Array or Set)

Names of CSS at-rules to allow that may have associated blocks containing CSS properties. At-rules like font-face and page fall into this category. Names should be specified in lowercase.

:css => :at_rules_with_styles (Array or Set)

Names of CSS at-rules to allow that may have associated blocks containing style rules. At-rules like media and keyframes fall into this category. Names should be specified in lowercase.

:css => :import_url_validator

This is a Proc (or other callable object) that will be called and passed the URL specified for any @import at-rules.

You can use this to limit what can be imported, for example something like the following to limit @import to Google Fonts URLs:

Proc.new { |url| url.start_with?("https://fonts.googleapis.com") }
:css => :properties (Array or Set)

List of CSS property names to allow. Names should be specified in lowercase.

:css => :protocols (Array or Set)

URL protocols to allow in CSS URLs. Should be specified in lowercase.

If you'd like to allow the use of relative URLs which don't have a protocol, include the symbol :relative in the protocol array.

:elements (Array or Set)

Array of HTML element names to allow. Specify all names in lowercase. Any elements not in this array will be removed.

:elements => %w[
  a abbr b blockquote br cite code dd dfn dl dt em i kbd li mark ol p pre
  q s samp small strike strong sub sup time u ul var
]

Warning

Sanitize cannot fully sanitize the contents of <math> or <svg> elements. MathML and SVG elements are foreign elements that don't follow normal HTML parsing rules.

By default, Sanitize will remove all MathML and SVG elements. If you add MathML or SVG elements to a custom element allowlist, you must assume that any content inside them will be allowed, even if that content would otherwise be removed or escaped by Sanitize. This may create a security vulnerability in your application.

Note

Sanitize always removes <noscript> elements and their contents, even if noscript is in the allowlist.

This is because a <noscript> element's content is parsed differently in browsers depending on whether or not scripting is enabled. Since Nokogiri doesn't support scripting, it always parses <noscript> elements as if scripting is disabled. This results in edge cases where it's not possible to reliably sanitize the contents of a <noscript> element because Nokogiri can't fully replicate the parsing behavior of a scripting-enabled browser.

:parser_options (Hash)

Parsing options to be supplied to nokogumbo.

:parser_options => {
  max_errors: -1,
  max_tree_depth: -1
}

:protocols (Hash)

URL protocols to allow in specific attributes. If an attribute is listed here and contains a protocol other than those specified (or if it contains no protocol at all), it will be removed.

:protocols => {
  'a'   => {'href' => ['ftp', 'http', 'https', 'mailto']},
  'img' => {'src'  => ['http', 'https']}
}

If you'd like to allow the use of relative URLs which don't have a protocol, include the symbol :relative in the protocol array:

:protocols => {
  'a' => {'href' => ['http', 'https', :relative]}
}

:remove_contents (boolean or Array or Set)

If this is true, Sanitize will remove the contents of any non-allowlisted elements in addition to the elements themselves. By default, Sanitize leaves the safe parts of an element's contents behind when the element is removed.

If this is an Array or Set of element names, then only the contents of the specified elements (when filtered) will be removed, and the contents of all other filtered elements will be left behind.

The default value is %w[iframe math noembed noframes noscript plaintext script style svg xmp].

:transformers (Array or callable)

Custom HTML transformer or array of custom transformers. See the Transformers section below for details.

:whitespace_elements (Hash)

Hash of element names which, when removed, should have their contents surrounded by whitespace to preserve readability.

Each element name is a key pointing to another Hash, which provides the specific whitespace that should be inserted :before and :after the removed element's position. The :after value will only be inserted if the removed element has children, in which case it will be inserted after those children.

:whitespace_elements => {
  'br'  => { :before => "\n", :after => "" },
  'div' => { :before => "\n", :after => "\n" },
  'p'   => { :before => "\n", :after => "\n" }
}

The default elements with whitespace added before and after are:

address article aside blockquote br dd div dl dt
footer h1 h2 h3 h4 h5 h6 header hgroup hr li nav
ol p pre section ul

Transformers

Transformers allow you to filter and modify HTML nodes using your own custom logic, on top of (or instead of) Sanitize's core filter. A transformer is any object that responds to call() (such as a lambda or proc).

To use one or more transformers, pass them to the :transformers config setting. You may pass a single transformer or an array of transformers.

Sanitize.fragment(html, :transformers => [
  transformer_one,
  transformer_two
])

Input

Each transformer's call() method will be called once for each node in the HTML (including elements, text nodes, comments, etc.), and will receive as an argument a Hash that contains the following items:

  • :config - The current Sanitize configuration Hash.

  • :is_allowlisted - true if the current node has been allowlisted by a previous transformer, false otherwise. It's generally bad form to remove a node that a previous transformer has allowlisted.

  • :node - A Nokogiri::XML::Node object representing an HTML node. The node may be an element, a text node, a comment, a CDATA node, or a document fragment. Use Nokogiri's inspection methods (element?, text?, etc.) to selectively ignore node types you aren't interested in.

  • :node_allowlist - Set of Nokogiri::XML::Node objects in the current document that have been allowlisted by previous transformers, if any. It's generally bad form to remove a node that a previous transformer has allowlisted.

  • :node_name - The name of the current HTML node, always lowercase (e.g. "div" or "span"). For non-element nodes, the name will be something like "text", "comment", "#cdata-section", "#document-fragment", etc.

Output

A transformer doesn't have to return anything, but may optionally return a Hash, which may contain the following items:

  • :node_allowlist - Array or Set of specific Nokogiri::XML::Node objects to add to the document's allowlist, bypassing the current Sanitize config. These specific nodes and all their attributes will be allowlisted, but their children will not be.

If a transformer returns anything other than a Hash, the return value will be ignored.

Processing

Each transformer has full access to the Nokogiri::XML::Node that's passed into it and to the rest of the document via the node's document() method. Any changes made to the current node or to the document will be reflected instantly in the document and passed on to subsequently called transformers and to Sanitize itself. A transformer may even call Sanitize internally to perform custom sanitization if needed.

Nodes are passed into transformers in the order in which they're traversed. Sanitize performs top-down traversal, meaning that nodes are traversed in the same order you'd read them in the HTML, starting at the top node, then its first child, and so on.

html = %[
  <header>
    <span>
      <strong>foo</strong>
    </span>
    <p>bar</p>
  </header>

  <footer></footer>
]

transformer = lambda do |env|
  puts env[:node_name] if env[:node].element?
end

# Prints "header", "span", "strong", "p", "footer".
Sanitize.fragment(html, :transformers => transformer)

Transformers have a tremendous amount of power, including the power to completely bypass Sanitize's built-in filtering. Be careful! Your safety is in your own hands.

Example: Transformer to allow image URLs by domain

The following example demonstrates how to remove image elements unless they use a relative URL or are hosted on a specific domain. It assumes that the <img> element and its src attribute are already allowlisted.

require 'uri'

image_allowlist_transformer = lambda do |env|
  # Ignore everything except <img> elements.
  return unless env[:node_name] == 'img'

  node      = env[:node]
  image_uri = URI.parse(node['src'])

  # Only allow relative URLs or URLs with the example.com domain. The
  # image_uri.host.nil? check ensures that protocol-relative URLs like
  # "//evil.com/foo.jpg".
  unless image_uri.host == 'example.com' || (image_uri.host.nil? && image_uri.relative?)
    node.unlink # `Nokogiri::XML::Node#unlink` removes a node from the document
  end
end

Example: Transformer to allow YouTube video embeds

The following example demonstrates how to create a transformer that will safely allow valid YouTube video embeds without having to allow other kinds of embedded content, which would be the case if you tried to do this by just allowing all <iframe> elements:

youtube_transformer = lambda do |env|
  node      = env[:node]
  node_name = env[:node_name]

  # Don't continue if this node is already allowlisted or is not an element.
  return if env[:is_allowlisted] || !node.element?

  # Don't continue unless the node is an iframe.
  return unless node_name == 'iframe'

  # Verify that the video URL is actually a valid YouTube video URL.
  return unless node['src'] =~ %r|\A(?:https?:)?//(?:www\.)?youtube(?:-nocookie)?\.com/|

  # We're now certain that this is a YouTube embed, but we still need to run
  # it through a special Sanitize step to ensure that no unwanted elements or
  # attributes that don't belong in a YouTube embed can sneak in.
  Sanitize.node!(node, {
    :elements => %w[iframe],

    :attributes => {
      'iframe'  => %w[allowfullscreen frameborder height src width]
    }
  })

  # Now that we're sure that this is a valid YouTube embed and that there are
  # no unwanted elements or attributes hidden inside it, we can tell Sanitize
  # to allowlist the current node.
  {:node_allowlist => [node]}
end

html = %[
<iframe width="420" height="315" src="//www.youtube.com/embed/dQw4w9WgXcQ"
    frameborder="0" allowfullscreen></iframe>
]

Sanitize.fragment(html, :transformers => youtube_transformer)
# => '<iframe width="420" height="315" src="//www.youtube.com/embed/dQw4w9WgXcQ" frameborder="0" allowfullscreen=""></iframe>'

More Repositories

1

rawgit

Served files from raw.githubusercontent.com, but with the correct content types. No longer actively developed.
JavaScript
2,390
star
2

lazyload

💀 An ancient tiny JS and CSS loader from the days before everyone had written one. Unmaintained.
JavaScript
1,391
star
3

larch

💀 Larch copies messages from one IMAP server to another. No longer maintained.
Ruby
616
star
4

jsmin-php

💀 PHP port of Douglas Crockford's JSMin JavaScript minifier. No longer maintained.
PHP
423
star
5

parse-xml

A fast, safe, compliant XML parser for Node.js and browsers.
JavaScript
259
star
6

crass

A Ruby CSS parser that's fully compliant with the CSS Syntax Level 3 specification.
Ruby
139
star
7

combohandler

A simple Yahoo!-style combo handler in Node.js.
JavaScript
116
star
8

node-elastical

💀 Elastical has moved to https://github.com/ramv/node-elastical and this repo is no longer maintained. Please update your bookmarks!
JavaScript
101
star
9

thoth

💀 An unmaintained and probably broken Ruby blog engine.
Ruby
67
star
10

emergencykitten

Sometimes you just need a kitten.
JavaScript
66
star
11

jsmin

💀 Ruby library for minifying JavaScript. Based on Douglas Crockford's jsmin.c. Unmaintained.
JavaScript
51
star
12

textual-sulaco

Sulaco, a style for the Textual IRC client
HTML
44
star
13

synchrotron

Watches a local directory and syncs files to another directory or a remote destination using rsync whenever changes occur.
JavaScript
40
star
14

cssmin

💀 Ruby library for minifying CSS. Unmaintained.
Ruby
38
star
15

selleck

💀 Now maintained at https://github.com/yui/selleck
JavaScript
38
star
16

storage-lite

💀 Lightweight YUI 3 API for persistent cross-browser key/value storage similar to the HTML5 localStorage API. Unmaintained.
JavaScript
29
star
17

pie.gd

Config files, scripts, and documentation for the pie.gd Mastodon instance.
Dockerfile
23
star
18

lectroid

💀 A really boring blog engine. Unmaintained.
JavaScript
17
star
19

cachetest

💀 A Sinatra app for testing browser cache characteristics. Unmaintained.
Ruby
16
star
20

trogdor

💀 A fast, simple search-as-you-type implementation in JavaScript using the Yahoo! Search BOSS API. Unmaintained.
JavaScript
16
star
21

jslib-stats

💀 Node.js-based crawler that gathers JavaScript library usage stats by executing and inspecting JS. Unmaintained.
JavaScript
12
star
22

vim-yui3

💀 Vim syntax for YUI3. Unmaintained.
JavaScript
11
star
23

yuitweets

💀 A Bayesian tweet classifier that can learn the difference between tweets about the YUI Library and tweets about J-pop idols named Yui. Unmaintained.
Ruby
10
star
24

node-tokeninput

💀 YUI 3 Node plugin that turns a text input field into a tokenized input field similar to Cocoa's NSTokenField control. Unmaintained.
JavaScript
6
star
25

javascript-yui3.tmbundle

💀 TextMate bundle for YUI 3. Unmaintained.
JavaScript
6
star
26

denyssh

💀 Blocks SSH brute force attacks using PF. Unmaintained.
Ruby
5
star
27

tweetslurp

💀 Backs up tweets to a JSON file. Unmaintained.
JavaScript
4
star
28

jshint

💀 The Kinder, Gentler JavaScript Code Quality Tool
JavaScript
3
star
29

crackup

💀 Crappy remote backup. Unmaintained.
Ruby
3
star
30

sanitize-web

A super simple web interface to Sanitize, mostly for testing purposes.
HTML
3
star
31

sandbox

💀 YUI 3 module that simplifies the process of creating isolated iframe sandboxes in which to evaluate JavaScript code for tasks like profiling or unit testing. Unmaintained.
JavaScript
2
star
32

jetpants

💀
JavaScript
2
star
33

weld

💀 Combines and minifies CSS and JavaScript files at runtime and build time. Unmaintained.
Ruby
2
star
34

sniffle

💀 CLI app that learns and identifies user agent strings using a Redis-backed naive Bayes classifier. Just a silly experiment. Unmaintained.
JavaScript
2
star
35

denyspam

💀 Monitors a mail server log file and uses a firewall to temporarily block or redirect incoming packets from hosts that display spammer-like behavior. Unmaintained.
1
star
36

parse-xml-benchmark

Benchmarks for @rgrove/parse-xml
JavaScript
1
star