html-whitelist

A wrapper around the html5lib library for sanitizing HTML.

GET requests

The url parameter can be used to refer to a page of HTML content to be sanitized. Examples:

• GET /whitelist?url=http://example.com/clean.html
• GET /whitelist?url=http://example.com/dirty.html

Alternatively, the content parameter can be used to include the HTML in the GET request itself. Examples:

• GET /whitelist?content=%3Cp%3Esafe+html%3C/p%3E
• GET /whitelist?content=%3Cscript%3Escary+html%3C/script%3E

The json parameter will wrap the response in a JSON dictionary under the key html. Examples:

• GET /whitelist?content=%3Cp%3Esafe+html%3C/p%3E&json=1
• GET /whitelist?content=%3Cscript%3Escary+html%3C/script%3E&json=1

The callback=foo parameter will enable JSONP-style callbacks, suitable for use within a <script src> tag. Examples:

• GET /whitelist?content=%3Cp%3Esafe+html%3C/p%3E&callback=foo
• GET /whitelist?content=%3Cscript%3Escary+html%3C/script%3E&callback=foo

The mode parameter will swap in alternative sanitizers. At this time, only the default permissive-but-safe default mode, and the restrictive atwood mode (see here) are supported. Examples:

• GET /whitelist?content=%3Cp%3E%3Ccite%3EAnathem%3C/cite%3E by Neal Stephenson%3C/p%3E&mode=default
• GET /whitelist?content=%3Cp%3E%3Ccite%3EAnathem%3C/cite%3E by Neal Stephenson%3C/p%3E&mode=atwood

POST requests

POST requests to /whitelist can be either multipart/form-data or application/x-www-form-urlencoded encoded. If a key named content is present then the value will be sanitized. If not, the entire request body will be sanitized.

POST requests also accept the json, callback, and mode parameters.

Copyright DeWitt Clinton - Source - Discuss