Sanitize/Rewrite HTML on the Client Side

by

Update 2016: There is now a Google Closure package based on the Caja sanitizer.

It has a cleaner API, was rewritten to take into account APIs available on modern browsers, and interacts better with Closure Compiler.

Shameless plug: see caja/plugin/html-sanitizer.js for a client side html sanitizer that has been thoroughly reviewed.

It is white-listed, not black-listed, but the whitelists are configurable as per CajaWhitelists

If you want to remove all tags, then do the following:

var tagBody = '(?:[^"\'>]|"[^"]*"|\'[^\']*\')*';

var tagOrComment = new RegExp(
    '<(?:'
    // Comment body.
    + '!--(?:(?:-*[^->])*--+|-?)'
    // Special "raw text" elements whose content should be elided.
    + '|script\\b' + tagBody + '>[\\s\\S]*?</script\\s*'
    + '|style\\b' + tagBody + '>[\\s\\S]*?</style\\s*'
    // Regular name
    + '|/?[a-z]'
    + tagBody
    + ')>',
    'gi');
function removeTags(html) {
  var oldHtml;
  do {
    oldHtml = html;
    html = html.replace(tagOrComment, '');
  } while (html !== oldHtml);
  return html.replace(/</g, '&lt;');
}

People will tell you that you can create an element, and assign innerHTML and then get the innerText or textContent, and then escape entities in that. Do not do that. It is vulnerable to XSS injection since <img src=bogus onerror=alert(1337)> will run the onerror handler even if the node is never attached to the DOM.

More Related Contents:

  1. How does Content Security Policy (CSP) work?
  2. Detecting if a browser is using Private Browsing mode
  3. How to prevent html/JavaScript code modification
  4. Safe value must use [property]=binding after bypass security with DomSanitizer
  5. Simple HTML sanitizer in Javascript [closed]
  6. Check if a file exists locally using JavaScript only
  7. Disable drop paste in HTML input fields? [duplicate]
  8. What makes an input vulnerable to XSS?
  9. Embedding youtube video “Refused to display document because display forbidden by X-Frame-Options”
  10. Single event handler for four button clicks
  11. Parse an HTML string with JS
  12. How to get the raw value an field?
  13. Losing scope when using ng-include
  14. How to store arbitrary data for some HTML tags
  15. How can I let a table’s body scroll but keep its head fixed in place?
  16. Find the closest ancestor element that has a specific class
  17. Pass mouse events through absolutely-positioned element
  18. Close Current Tab
  19. Responsive horizontal page sliding
  20. Need to find height of hidden div on page (set to display:none)
  21. How to play a notification sound on websites?
  22. Embed HTML5 YouTube video without iframe?
  23. Manually triggering the iPhone/iPad/iPod keyboard from JavaScript
  24. Javascript show element on click
  25. how to resolve iframe cross domain issue [duplicate]
  26. Putting default value in
  27. What are some good ways to prevent people from copying my source code? [closed]
  28. Uncaught ReferenceError: $ is not defined error in jQuery
  29. Detect failure to load contents of an iframe
  30. How to change button text or link text in JavaScript?

Leave a Comment