[Mashup-dev] HTML sanitation
Channa Gunawardena
channa at wso2.com
Thu Jul 3 04:15:39 PDT 2008
Hi All,
I've taken out the basic and restrictive JavaScript sanitation I had
used for bio and comments earlier, and provided a sanitizeHtml method in
the MashupUtils class which actually wraps AntiSamy
(http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) a
profile based HTML sanitation tool, which is BSD licensed.
This was pretty much the best sanitation tool I found out there with the
features and license we need. All the dependant jars it added to our
distro are apache licensed, but it does add 3 jars, along with it's own
code, for a total of 468K. Seems pretty big just to sanitize HTML, but
with AntiSamy we (and any ultimate user), can change the policy XML file
in the config directory to make the sanitation as open or as paranoid as
necessary.
If the increase in download size seems too large and the solution seems
to be an overkill, we can actually remove AntiSamy and implement our own
Java based logic in the sanitizeHtml method, but I personally would
prefer to stay with this.
Bye,
Channa.
--
********************************************
Channa Gunawardena
Technical Lead, WSO2 Inc.
channa at wso2.com; http://channa.gunawardena.org; +94 71 306 2722
"The Open Source SOA Company", http://wso2.com
More information about the Mashup-dev
mailing list