Package org.owasp.html

Interface HtmlSanitizer.Policy

  • All Superinterfaces:
    HtmlStreamEventReceiver
    Enclosing class:
    HtmlSanitizer
    public static interface HtmlSanitizer.Policy
extends HtmlStreamEventReceiver
    Receives events based on the HTML stream, and applies a policy to decide what HTML constructs to allow. Typically, implementations use an HtmlStreamRenderer to produce the sanitized output.

    Implementations of this class are in the TCB.

    • Method Detail

      • openTag

        void openTag​(String elementName,
             List<String> attrs)
        Called when an HTML tag like <foo bar=baz> is seen in the input.
        Specified by:
        openTag in interface HtmlStreamEventReceiver
        Parameters:
        elementName - a normalized (lower-case for non-namespaced names) element name.
        attrs - a list of alternating attribute name and value pairs. For efficiency, this list may be mutated by this during this method call, but ownership reverts to the caller on method exit. The values are raw -- HTML entities have been decoded. Specifically, implementations are allowed to use a list iterator and remove all disallowed attributes, add necessary attributes, and then pass the list to an HtmlStreamRenderer.

      • closeTag

        void closeTag​(String elementName)
        Called when an HTML tag like </foo> is seen in the input.
        Specified by:
        closeTag in interface HtmlStreamEventReceiver
        Parameters:
        elementName - a normalized (lower-case for non-namespaced names) element name.

      • text

        void text​(String textChunk)
        Called when textual content is seen.
        Specified by:
        text in interface HtmlStreamEventReceiver
        Parameters:
        textChunk - raw content -- HTML entities have been decoded.