Package org.owasp.html
Class HtmlSanitizer
- java.lang.Object
-
- org.owasp.html.HtmlSanitizer
-
public final class HtmlSanitizer extends Object
Consumes an HTML stream, and dispatches events to a policy object which decides which elements and attributes to allow.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static interface
HtmlSanitizer.Policy
Receives events based on the HTML stream, and applies a policy to decide what HTML constructs to allow.
-
Constructor Summary
Constructors Constructor Description HtmlSanitizer()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static void
sanitize(String html, HtmlSanitizer.Policy policy)
Sanitizes the given HTML by applying the given policy to it.static void
sanitize(String html, HtmlSanitizer.Policy policy, HtmlStreamEventProcessor preprocessor)
Sanitizes the given HTML by applying the given policy to it.
-
-
-
Method Detail
-
sanitize
public static void sanitize(@Nullable String html, HtmlSanitizer.Policy policy)
Sanitizes the given HTML by applying the given policy to it.This method is not in the TCB.
This method has no return value since policies are assumed to render things they accept and do nothing on things they reject. Use
HtmlStreamRenderer
to render content to an output buffer.- Parameters:
html
- A snippet of HTML to sanitize.null
is treated as the empty string and will not result in aNullPointerException
.policy
- The Policy that will receive events based on the tokens in HTML. Typically, this policy ends up routing the events to anHtmlStreamRenderer
after filtering.HtmlPolicyBuilder
provides an easy way to create policies.
-
sanitize
public static void sanitize(@Nullable String html, HtmlSanitizer.Policy policy, HtmlStreamEventProcessor preprocessor)
Sanitizes the given HTML by applying the given policy to it.This method is not in the TCB.
This method has no return value since policies are assumed to render things they accept and do nothing on things they reject. Use
HtmlStreamRenderer
to render content to an output buffer.- Parameters:
html
- A snippet of HTML to sanitize.null
is treated as the empty string and will not result in aNullPointerException
.policy
- The Policy that will receive events based on the tokens in HTML. Typically, this policy ends up routing the events to anHtmlStreamRenderer
after filtering.HtmlPolicyBuilder
provides an easy way to create policies.preprocessor
- A processor that may wrap the policy to reinterpret parse events. Since the policy encapsulates its output buffer, this is not in the policy's TCB.
-
-