Package org.owasp.html

Class HtmlSanitizer

java.lang.Object

org.owasp.html.HtmlSanitizer

public final class HtmlSanitizer
extends Object

Consumes an HTML stream, and dispatches events to a policy object which decides which elements and attributes to allow.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static interface	HtmlSanitizer.Policy	Receives events based on the HTML stream, and applies a policy to decide what HTML constructs to allow.

Constructor Summary

Constructors

Constructor	Description
HtmlSanitizer()

Method Summary

Modifier and Type	Method	Description
static void	sanitize(String html, HtmlSanitizer.Policy policy)	Sanitizes the given HTML by applying the given policy to it.
static void	sanitize(String html, HtmlSanitizer.Policy policy, HtmlStreamEventProcessor preprocessor)	Sanitizes the given HTML by applying the given policy to it.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

HtmlSanitizer

public HtmlSanitizer()

Method Detail

sanitize

public static void sanitize(@Nullable
                            String html,
                            HtmlSanitizer.Policy policy)

Sanitizes the given HTML by applying the given policy to it.

This method is not in the TCB.

This method has no return value since policies are assumed to render things they accept and do nothing on things they reject. Use HtmlStreamRenderer to render content to an output buffer.

Parameters:

html - A snippet of HTML to sanitize. null is treated as the empty string and will not result in a NullPointerException.

policy - The Policy that will receive events based on the tokens in HTML. Typically, this policy ends up routing the events to an HtmlStreamRenderer after filtering. HtmlPolicyBuilder provides an easy way to create policies.

sanitize

public static void sanitize(@Nullable
                            String html,
                            HtmlSanitizer.Policy policy,
                            HtmlStreamEventProcessor preprocessor)

Sanitizes the given HTML by applying the given policy to it.

This method is not in the TCB.

This method has no return value since policies are assumed to render things they accept and do nothing on things they reject. Use HtmlStreamRenderer to render content to an output buffer.

Parameters:

html - A snippet of HTML to sanitize. null is treated as the empty string and will not result in a NullPointerException.

policy - The Policy that will receive events based on the tokens in HTML. Typically, this policy ends up routing the events to an HtmlStreamRenderer after filtering. HtmlPolicyBuilder provides an easy way to create policies.

preprocessor - A processor that may wrap the policy to reinterpret parse events. Since the policy encapsulates its output buffer, this is not in the policy's TCB.