OWASP Java HTML Sanitizer Project

= Main = 

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP HTML Sanitizer Project
The OWASP HTML Sanitizer is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. The existing dependencies are on guava and JSR 305. The other jars are only needed by the test suite. The JSR 305 dependency is a compile-only dependency, only needed for annotations. This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review. A great place to get started using the OWASP Java HTML Sanitizer is here: https://code.google.com/p/owasp-java-html-sanitizer/wiki/GettingStarted.

Project Information
The OWASP HTML Sanitizer is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. The existing dependencies are on guava and JSR 305. The other jars are only needed by the test suite. The JSR 305 dependency is a compile-only dependency, only needed for annotations. This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review. A great place to get started using the OWASP Java HTML Sanitizer is here: https://code.google.com/p/owasp-java-html-sanitizer/wiki/GettingStarted.

Licensing
The OWASP Java Encoder is free to use under the Apache 2 License.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What is this?
The OWASP HTML Sanitizer Projects provides:


 * Java based HTML sanitization of untrusted HTML!

Code Repo
OWASP HTML Sanitizer at Google Code

Email List
Project Email List

Project Leader
Project Leader: Mike Samuel Contributors: Jim Manico

Related Projects

 * XSS (Cross Site Scripting) Prevention Cheat Sheet
 * OWASP Java JSON Sanitizer
 * OWASP Java Encoder


 * valign="top" style="padding-left:25px;width:200px;" |

Quick Download

 * https://code.google.com/p/owasp-java-html-sanitizer/downloads/detail?name=owasp-java-html-sanitizer-r209.zip

News and Events

 * [Oct 17, 2012] 1.0 Released!

Classifications

 * }

= Creating a HTML Policy =

You can use prepackaged policies here: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/Sanitizers.html.

PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS); String safeHTML = policy.sanitize(untrustedHTML);

or the tests show how to configure your own policy here: http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/tests/org/owasp/html/HtmlPolicyBuilderTest.java

PolicyFactory policy = new HtmlPolicyBuilder .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks .build; String safeHTML = policy.sanitize(untrustedHTML);

or you can write custom policies to do things like changing h1s to divs with a certain class:

PolicyFactory policy = new HtmlPolicyBuilder .allowElements("p") .allowElements(       new ElementPolicy {          public String apply(String elementName, List attrs) {            attrs.add("class");            attrs.add("header-" + elementName);            return "div";          }        }, "h1", "h2", "h3", "h4", "h5", "h6"))    .build; String safeHTML = policy.sanitize(untrustedHTML);

= Questions =


 * How was this project tested?
 * This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review.
 * How is this project deployed?
 * This project is best deployed through Maven https://code.google.com/p/owasp-java-html-sanitizer/wiki/Maven

= About =