简单的HTML清洁剂在Javascript中 [英] Simple HTML sanitizer in Javascript
问题描述
我正在寻找一个用JavaScript编写的简单HTML清理器。它不需要100%安全的XSS。
我在我的网站上实施Markdown和WMD Markdown编辑器(来自github的SO主分支)。问题是实时预览中显示的HTML没有被过滤,就像它在SO上一样。我正在寻找使用JavaScript编写的简单/快速的HTML清理程序,以便可以过滤预览窗口的内容。
不需要具有完整XSS保护的完整解析器。我不会将输出发送回服务器。在将结果存储到数据库之前,我正在将Markdown发送到服务器,在那里我使用了适当的完整HTML清理程序。
Google对我来说绝对没用。我只是得到了数百篇(通常是不正确的)关于如何从各种服务器端语言中的用户生成的HTML过滤掉javascript的文章。
$ b
UPDATE
我会解释一下为什么我需要这个。我的网站上有一个与StackOverflow中的编辑器非常相似的编辑器。有一个文本区域用于输入MarkDown语法,并在其下方显示一个预览窗口,它显示了它在提交后的样子。
当用户提交某些内容时,它是以MarkDown格式发送到服务器。服务器将其转换为HTML,然后在其上运行HTML清理程序以清理HTML。 MarkDown允许任意的HTML,所以我需要清理它。例如,用户键入如下内容:
< script> alert('Boo!');< / script> ;
MarkDown转换器不会触及它,因为它是HTML。 HTML消毒器会将其去掉,以免脚本元素消失。
但这不是预览窗口中发生的情况。预览窗口仅将MarkDown转换为HTML,但不会对其进行清理。因此,预览窗口将包含一个脚本元素。这意味着预览窗口与服务器上的实际渲染不同。
我想解决这个问题,所以我需要一个快速和肮脏的JavaScript HTML消毒器。基本的元素/属性黑名单和白名单很简单。它不需要是XSS安全的,因为XSS保护由服务器端的HTML清理器完成。
这只是为了确保预览窗口与实际渲染相匹配99.99%的时间,这对我来说已经足够了。
你能帮忙吗?提前致谢!
您应该看看在这个问题中推荐的在客户端对HTML进行合理化/重写
为了确保你不需要做更多关于XSS的事情,请查看这个答案如何防止用户生成的HTML中的Javascript注入攻击
I'm looking for a simple HTML sanitizer written in JavaScript. It doesn't need to be 100% XSS secure.
I'm implementing Markdown and the WMD Markdown editor (The SO master branch from github) on my website. The problem is that the HTML shown in the live preview isn't filtered, like it here on SO. I am looking for a simple/quick HTML sanitizer written in JavaScript so that i can filter the contents of the preview window.
No need for a full parser with complete XSS protection. I'm not sending the output back to the server. I'm sending the Markdown to the server where I use a proper, full HTML sanitizer before I store the result in the database.
Google is being absolutely useless to me. I just get hundreds of (often incorrect) articles on how to filter out javascript from user generated HTML in all kinds of server-side languages.
UPDATE
I'll explain a bit better why I need this. My website has an editor very similar to the one here on StackOverflow. There's a text area to enter MarkDown syntax and a preview window below it that shows you how it will look like after you submitted it.
When the user submits something, it is sent to the server in MarkDown format. The server converts it to HTML and then runs a HTML sanitizer on it to clean up the HTML. MarkDown allows arbitrary HTML so I need to clean it up. For example, the user types something like this:
<script>alert('Boo!');</script>
The MarkDown converter does not touch it since it's HTML. The HTML sanitizer will strip it so the script element is gone.
But this is not what happens in the preview window. The preview window only converts MarkDown to HTML but does not sanitize it. So, the preview window will have a script element.This means the preview window is different from the actual rendering on the server.
I want to fix this, so I need a quick-and-dirty JavaScript HTML sanitizer. Something simple with basic element/attribute blacklisting and whitelisting will do. It does not need to be XSS safe because XSS protection is done by the server-side HTML sanitizer.
This is just to make sure the preview window will match the actual rendering 99.99% of the time, which is good enough for me.
Can you help? Thanks in advance!
You should have a look at the one recommended in this question Sanitize/Rewrite HTML on the Client Side
And just to be sure that you don't need to do more about XSS, please review the answers to this one How to prevent Javascript injection attacks within user-generated HTML
这篇关于简单的HTML清洁剂在Javascript中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
