sanitize_html 1.3.0

HTML Sanitizer for Dart #

When embedding HTML from untrusted source in a website it is important to sanitize the HTML to prevent injection of untrusted Javascript (XSS exploits). This package provides a simple function sanitizing HTML to prevent XSS exploits and limit interference with other elements on the page.

Disclaimer: This is not an officially supported Google product.

This package uses an HTML5 parser to build-up an in-memory DOM tree and filter elements and attributes, in-line with rules employed by Github when sanitizing GFM (Github Flavored Markdown).

This removes all inline Javascript, CSS, <form>, and other elements that could be used for XSS. This sanitizer is more strict than necessary to guard against XSS as this sanitizer also attempts to prevent the sanitized HTML from interfering with the page it is injected into.

For example, while it is possible to allow many CSS properties, this sanitizer does not allow any CSS. This creates a sanitizer that is easy to validate. These limitations are usually fine when sanitizing HTML from rendered markdown.

Example #

import 'package:sanitize_html/sanitize_html.dart' show sanitizeHtml;

void main() {
  print(sanitizeHtml('<a href="javascript:alert();">evil link</a>'));
  // Prints: <a>evil link</a>
  // Which is a lot less evil :)
}

v1.3.0 #

  • Only print self-closing tags for void-elements. This could cause <strong /> in HTML documents, which is can be interpreted as an opening tag by HTML5 parsers, causing the HTML structure to break.

v1.2.0 #

  • Does not depend on universal_html, uses custom HTML rendering for the output.
  • Allowed classes are kept, even if there are non-allowed classes present on the same element.

v1.1.0 #

  • Add options allowElementId and allowClassName to allow specific element ids and class names.

v1.0.0 #

  • Initial release.

example/main.dart

// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

import 'package:sanitize_html/sanitize_html.dart' show sanitizeHtml;

void main() {
  print(sanitizeHtml('<a href="javascript:alert();">evil link</a>'));
  // Prints: <a>evil link</a>
}

Use this package as a library

1. Depend on it

Add this to your package's pubspec.yaml file:


dependencies:
  sanitize_html: ^1.3.0

2. Install it

You can install packages from the command line:

with pub:


$ pub get

with Flutter:


$ flutter pub get

Alternatively, your editor might support pub get or flutter pub get. Check the docs for your editor to learn more.

3. Import it

Now in your Dart code, you can use:


import 'package:sanitize_html/sanitize_html.dart';
  
Popularity:
Describes how popular the package is relative to other packages. [more]
54
Health:
Code health derived from static analysis. [more]
100
Maintenance:
Reflects how tidy and up-to-date the package is. [more]
100
Overall:
Weighted score of the above. [more]
77
Learn more about scoring.

We analyzed this package on Jul 17, 2019, and provided a score, details, and suggestions below. Analysis was completed with status completed using:

  • Dart: 2.4.0
  • pana: 0.12.19

Platforms

Detected platforms: Flutter, web, other

No platform restriction found in primary library package:sanitize_html/sanitize_html.dart.

Dependencies

Package Constraint Resolved Available
Direct dependencies
Dart SDK >=2.2.0 <3.0.0
html >=0.13.0 <0.15.0 0.14.0+2
meta ^1.1.7 1.1.7
Transitive dependencies
charcode 1.1.2
csslib 0.16.1
path 1.6.2
source_span 1.5.5
term_glyph 1.1.0
Dev dependencies
markdown ^2.0.2
pedantic ^1.4.0
test ^1.5.1

Admin