Questions tagged [sanitize]

Whitelist-based Ruby HTML and CSS sanitizer.

Sanitize is a whitelist-based HTML and CSS sanitizer. Given a list of acceptable elements, attributes, and CSS properties, Sanitize will remove all unacceptable HTML and/or CSS from a string.

Using a simple configuration syntax, you can tell Sanitize to allow certain HTML elements, certain attributes within those elements, and even certain URL protocols within attributes that contain URLs. You can also whitelist CSS properties, @ rules, and URL protocols you wish to allow in elements or attributes containing CSS. Any HTML or CSS that you don't explicitly allow will be removed.

Sanitize is based on Google's Gumbo HTML5 parser, which parses HTML exactly the same way modern browsers do, and Crass, which parses CSS exactly the same way modern browsers do. As long as your whitelist config only allows safe markup and CSS, even the most malformed or malicious input will be transformed into safe output.

411 questions

428

votes

27 answers

Turn a string into a valid filename?

I have a string that I want to use as a filename, so I want to remove all characters that wouldn't be allowed in filenames, using Python. I'd rather be strict than otherwise, so let's say I want to retain only letters, digits, and a small set of…

asked Nov 17 '08 at 09:02

Sophie Gage

5,391
5
24
25

218

votes

17 answers

Catch paste input

I'm looking for a way to sanitize input that I paste into the browser, is this possible to do with jQuery? I've managed to come up with this so far: $(this).live(pasteEventName, function(e) { // this is where i would like to sanitize my input …

jquery paste sanitize

asked Mar 26 '09 at 18:24

Christoffer Winterkvist

3,074
2
19
14

210

votes

14 answers

C# Sanitize File Name

I recently have been moving a bunch of MP3s from various locations into a repository. I had been constructing the new file names using the ID3 tags (thanks, TagLib-Sharp!), and I noticed that I was getting a System.NotSupportedException: "The…

c# validation path sanitize invalid-characters

asked Nov 21 '08 at 17:04

Jason Sundram

12,225
19
71
86

votes

4 answers

What's up with these Unicode combining characters and how can we filter them?

กิิิิิิิิิิิิิิิิิิิิ ก้้้้้้้้้้้้้้้้้้้้ ก็็็็็็็็็็็็็็็็็็็็ ก็็็็็็็็็็็็็็็็็็็็ กิิิิิิิิิิิิิิิิิิิิ ก้้้้้้้้้้้้้้้้้้้้ ก็็็็็็็็็็็็็็็็็็็็ กิิิิิิิิิิิิิิิิิิิิ ก้้้้้้้้้้้้้้้้้้้้ กิิิิิิิิิิิิิิิิิิิิ ก้้้้้้้้้้้้้้้้้้้้…

unicode sanitize combining-marks zalgo

asked May 02 '12 at 13:34

XCS

27,244
26
101
151

votes

5 answers

Safely sandbox and execute user submitted JavaScript?

I would like to have the ability to let users submit arbitrary JavaScript code, which is then sent to a Node.JS server and safely executed before the output is sent back to multiple clients (as JSON). The eval function comes to mind, but I know this…

javascript node.js eval sandbox sanitize

asked Jul 07 '13 at 14:54

Cory Gross

36,833
17
68
80

votes

5 answers

How to sanitze user input in PHP before mailing?

I have a simple PHP mailer script that takes values from a form submitted via POST and mails them to me:

php security email sanitize

asked Jun 28 '09 at 18:34

Matt Hampel

5,088
12
52
78

votes

3 answers

Using sanitize within a Rails controller

I'm trying to call sanitize within a controller. Here's what I tried: class FooController < ApplicationController include ActionView::Helpers::SanitizeHelper # ... end However, I'm getting this error: undefined method `white_list_sanitizer' for…

ruby-on-rails controller helper sanitize

asked Oct 21 '10 at 09:26

pmc255

1,499
2
19
31

votes

1 answer

Sanitize user input in bash for security purposes

How do I sanitise user input in a bash script so that I can then pass it as an argument to another shell program? I want to prevent the following: INPUT="filename;rm -rf /" ls $INPUT I was thinking it should be enough to surround the user input in…

bash input sanitize

asked Nov 25 '10 at 01:39

johnf

votes

2 answers

HTML Agility Pack strip tags NOT IN whitelist

I'm trying to create a function which removes html tags and attributes which are not in a white list. I have the following HTML: first text second text here some text here some text here some twxt…

c# tags html-parsing html-agility-pack sanitize

asked Jun 24 '10 at 05:52

Dragos Durlut

8,018
10
47
62

votes

1 answer

Sanitize input in Angular2

I am trying to get third-party (potentially unsafe) html content from my database and insert it into my html document. How do I safely do that (Protection against XSS) ? In Angular1.x there used to be $sce to sanitize input, how do I do that in…

angular typescript sanitize

asked Dec 25 '15 at 22:34

the_critic

12,720
19
67
115

votes

6 answers

When to filter/sanitize data: before database insertion or before display?

As I prepare to tackle the issue of input data filtering and sanitization, I'm curious whether there's a best (or most used) practice? Is it better to filter/sanitize the data (of HTML, JavaScript, etc.) before inserting the data into the database,…

php html filter sanitize

asked Aug 13 '09 at 21:02

Justin Stayton

6,031
8
37
43

votes

5 answers

WordPress - How to sanitize multi-line text from a textarea without losing line breaks?

If I sanitize and save some meta text (called 'message') entered by the user like like this... update_post_meta($post_id, 'message', sanitize_text_field($_POST['message'])); ...and then retrieve and attempt to re-display the text like this... echo…

php wordpress textarea line-breaks sanitize

asked Dec 07 '13 at 17:03

ban-geoengineering

18,324
27
171
253

votes

1 answer

Ruby on Rails: difference between .html_safe and sanitize()

I have two pieces of code in my view: <%= sanitize('

winter

') %> <%= '

winter

'.html_safe %> And they both seem to result in encoding html tags in a string provided. What is the difference between them and when should I use either?

ruby-on-rails-4 sanitize difference html-safe

asked May 14 '14 at 16:11

Evgenia Karunus

10,715
5
56
70

votes

1 answer

Rails 5.0.0.beta1 - Generating an URL from non sanitized request parameters is insecure

We are upgrading from Rails 4.2.5 to 5.0.0.beta1 When testing we expected to see index views rendered with paginated links as before. But we now get an ArgumentError error page, for example: ArgumentError in Transactions#index…

ruby-on-rails upgrade kaminari sanitize ruby-on-rails-5

asked Dec 22 '15 at 10:44

KeithP

1,803
1
16
23

votes

1 answer

Best way to sanitize exec command with user inserted variables

I'm coding a web interface to a horrible piece of propitiatory software our company uses. The software has no real UI and requires us giving putty access to our system for our clients to even pull data. My web interface has to run an exec();…

php exec sanitize

asked Jun 11 '09 at 18:45

The Digital Ninja

1,090
6
22
36

2 3

…

27 28 Next