sanitizeHtml function
Sanitize htmlString
to prevent XSS exploits and limit interference with
other markup on the page.
This function uses the HTML5 parser to build-up an in-memory DOM tree and filter elements and attributes, in-line with rules employed by Github when sanitizing GFM (Github Flavored Markdown).
This removes all inline Javascript, CSS, <form>
, and other elements that
could be used for XSS. This sanitizer is more strict than necessary to
guard against XSS as this sanitizer also attempts to prevent the sanitized
HTML from interfering with the page it is injected into.
For example, while it is possible to allow many CSS properties, this
sanitizer does not allow any CSS. This creates a sanitizer that is easy to
validate and is usually fine when sanitizing HTML from rendered markdown.
The allowElementId
and allowClassName
options can be used to allow
specific element ids and class names through, otherwise id
and class
attributes will be removed.
Example
import 'package:sanitize_html/sanitize_html.dart' show sanitizeHtml;
void main() {
print(sanitizeHtml('<a href="javascript:alert();">evil link</a>'));
// Prints: <a>evil link</a>
// Which is a lot less evil :)
}
It is furthermore possible to use the addLinkRel
to attach a rel="..."
property to links (<a href="..."
). When hosting user-generated content it
can be useful to qualify outbound links with rel="ugc"
, as this lets
search engines know that the content is user-generated.
Example
import 'package:sanitize_html/sanitize_html.dart' show sanitizeHtml;
void main() {
print(sanitizeHtml(
'<a href="https://spam.com/free-stuff">free stuff</a>',
addLinkRel: (href) => ['ugc', 'nofollow'],
));
// Prints: <a href="https://spam.com/free-stuff" rel="ugc nofollow">free stuff</a>
// Might mitigate negative impact of hosting spam links with search engines.
}
For more information on why to qualify outbound links, see also Ways to Prevent Comment Spam.
Implementation
String sanitizeHtml(
String htmlString, {
bool Function(String)? allowElementId,
bool Function(String)? allowClassName,
Iterable<String>? Function(String)? addLinkRel,
}) {
return SaneHtmlValidator(
allowElementId: allowElementId,
allowClassName: allowClassName,
addLinkRel: addLinkRel,
).sanitize(htmlString);
}