sanitize_html 2.1.0 copy "sanitize_html: ^2.1.0" to clipboard
sanitize_html: ^2.1.0 copied to clipboard

Function for sanitizing HTML to prevent XSS by restrict elements and attributes to a safe subset of allowed values.

HTML Sanitizer for Dart #

When embedding HTML from untrusted source in a website it is important to sanitize the HTML to prevent injection of untrusted JavaScript (XSS exploits). This package provides a simple function sanitizing HTML to prevent XSS exploits and limit interference with other elements on the page.

Disclaimer: This is not an officially supported Google product.

This package uses an HTML5 parser to build-up an in-memory DOM tree and filter elements and attributes, in-line with rules employed by GitHub when sanitizing GFM (GitHub Flavored Markdown).

This removes all inline JavaScript, CSS, <form>, and other elements that could be used for XSS. This sanitizer is more strict than necessary to guard against XSS as this sanitizer also attempts to prevent the sanitized HTML from interfering with the page it is injected into.

For example, while it is possible to allow many CSS properties, this sanitizer does not allow any CSS. This creates a sanitizer that is easy to validate. These limitations are usually fine when sanitizing HTML from rendered markdown.

Example #

import 'package:sanitize_html/sanitize_html.dart' show sanitizeHtml;

void main() {
  print(sanitizeHtml('<a href="javascript:alert();">evil link</a>'));
  // Prints: <a>evil link</a>
  // Which is a lot less evil :)
}
46
likes
160
points
512k
downloads

Publisher

verified publishergoogle.dev

Weekly Downloads

Function for sanitizing HTML to prevent XSS by restrict elements and attributes to a safe subset of allowed values.

Homepage
Repository (GitHub)
View/report issues
Contributing

Topics

#security #html

Documentation

API reference

License

Apache-2.0 (license)

Dependencies

html, meta

More

Packages that depend on sanitize_html