SanitizeHtml()

Sanitizes unsafe HTML input and removes elements and attributes like JavaScript, onclick, etc.

See also OWASP Java HTML Sanitizer

Requires Extension: ESAPI extension

SanitizeHtml( string=string, policy=any );

Returns: String

Argument Description
string
string, required

string to sanitize
policy
any, optional

Either a org.owasp.html.PolicyFactory or a String with built in Sanitizers.

If omitted then all of the built-in policies are applied.

The built in Sanitizers are:

  • FORMATTING
  • BLOCKS
  • STYLES
  • LINKS
  • TABLES
  • IMAGES

Examples

html = '<!DOCTYPE html><html><body><h2>HTML Forms</h2><form action="/action_page.cfm"><label for="fname">First name:</label><br><input type="text" id="fname" name="fname"value="Pothys"><br><br><br><input type="submit" value="Submit">
    </form><p>If you click the "Submit" button, the form-data will be sent to a page called "/action_page.cfm".</p></body></html>';

<span class="nf">writeDump</span><span class="p">(</span><span class="k">var</span><span class="o">=</span><span class="nv">html</span><span class="p">,</span> <span class="nv">label</span><span class="o">=</span><span class="s1">&#39;html&#39;</span><span class="p">);</span>
<span class="nv">test</span> <span class="o">=</span> <span class="nf">SanitizeHtml</span><span class="p">(</span><span class="nv">html</span><span class="p">);</span>
<span class="nf">writeDump</span><span class="p">(</span><span class="k">var</span><span class="o">=</span><span class="nv">test</span><span class="p">,</span> <span class="nv">label</span><span class="o">=</span><span class="s1">&#39;SanitizeHtml&#39;</span><span class="p">);</span>

See also