New ESAPI function sanitizeHTML() ESAPI 2.2.4.5-SNAPSHOT

news release
#1

sanitizeHtml()

Sanitizes unsafe HTML input and removes elements and attributes like JavaScript, onclick, etc.
Based on

Which is similiar but different to getSafeHtml() which uses antisamy (currently unimplemented, see [LDEV-838] - Lucee)

Example

sanitizeHtml(string string,[any policy]):string

Category

ESAPI,HTML

Arguments

The arguments for this function are set. You can not use other arguments except the following ones.

Name Type Required Description
string string Yes string to sanitize
policy any No Either a org.owasp.html.PolicyFactory or a String with built in Sanitizers. If omitted then all of the built-in policies are applied. The built in Sanitizers are:
  • FORMATTING
  • BLOCKS
  • STYLES
  • LINKS
  • TABLES
  • IMAGES

Already bundled in 5.3.9 RC3, local reference http://127.0.0.1:8888/lucee/doc/functions.cfm?item=sanitizehtml

https://luceeserver.atlassian.net/browse/LDEV-3953

4 Likes
#2

Nice. I’m a big fan of java html sanitizer.

I assume we would be building policies?

Is there a simple way to get an empty policy builder? or would it just be recommended to do something like?
var policyBuild = createObject( "java", "org.owasp.html.HtmlPolicyBuilder" )

add your rules, and then call .toFactory()?

I would recommended that if no policy was passed, that it default to nothing allowed (an empty policy), rather than all the built ins. Ie, imo, it should only allow elements on purpose.

#3

Wow! Fantastic!

Used getSafeHTML() a lot in my CF code and am migrating to Lucee now.

Just saved me a bunch of time! THANK YOU!

2 Likes
#4

Curious… is there any way we can “alias” this so that a call to getSafeHTML actually calls sanitizeHtml in Lucee?

I’d love to be able to use my CF code base on either server, especially while I’m migrating back and forth.