Scroll to navigation

HTMLDocument.WhiteList(3kaya) Kaya module reference HTMLDocument.WhiteList(3kaya)

NAME

HTMLDocument::WhiteList - Elements to allow in String->HTML conversion

SYNOPSIS

HTMLDocument::WhiteList< >
= UltraSafe()
| InlineOnly(HTMLDocument::ConversionSafety sa)
| AllElements(HTMLDocument::ConversionSafety sb)
| Unchecked()
| CustomWhitelist(Dict::Dict<String, [String]> whitelist)

DESCRIPTION

When converting from a String to HTML, rather than simply adding a String to an existing element where it will be escaped, the elements allowed in the conversion should depend on how trustworthy the String is. Generally, any unauthenticated user-supplied data should be treated extremely cautiously, and even authenticated user-supplied data should be treated with some caution in case the authentication is broken.
Use of String to HTML conversion allows potential for cross-site scripting attacks against your application, especially if the allowed element list is generous.
- UltraSafe - removes all tags and attributes. This differs from adding the string directly as text, which escapes them. This conversion method is immune to cross-site scripting.
- InlineOnly - allows only inline elements.
- AllElements - allows inline and block elements.
- Unchecked - allows all tags and attributes. Use this only on completely trusted data, as it allows trivial cross-site scripting attacks if an attacker can control the String being converted.
- CustomWhitelist - create your own whitelist of elements. The whitelist is a Dict(3kaya) with the allowed elements as the key and the list of allowed attributes for that element as the value. The string "*" will match any element as the key, or any attribute as an item in the value list, which is generally not a good idea for anything other than completely trusted data.
For the InlineOnly and AllElements options, you also need to select a HTMLDocument.ConversionSafety (3kaya)
 

AUTHORS

Kaya standard library by Edwin Brady, Chris Morris and others (kaya@kayalang.org). For further information see http://kayalang.org/

LICENSE

The Kaya standard library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License (version 2.1 or any later version) as published by the Free Software Foundation.

RELATED

HTMLDocument.ConversionSafety (3kaya)
HTMLDocument.readFromString (3kaya)
October 2012 Kaya