sanitize_html 1.1.0

  • README.md
  • CHANGELOG.md
  • Example
  • Installing
  • Versions
  • new55

HTML Sanitizer for Dart #

When embedding HTML from untrusted source in a website it is important to sanitize the HTML to prevent injection of untrusted Javascript (XSS exploits). This package provides a simple function sanitizing HTML to prevent XSS exploits and limit interference with other elements on the page.

Disclaimer: This is not an officially supported Google product.

This package uses an HTML5 parser to build-up an in-memory DOM tree and filter elements and attributes, in-line with rules employed by Github when sanitizing GFM (Github Flavored Markdown).

This removes all inline Javascript, CSS, <form>, and other elements that could be used for XSS. This sanitizer is more strict than necessary to guard against XSS as this sanitizer also attempts to prevent the sanitized HTML from interfering with the page it is injected into.

For example, while it is possible to allow many CSS properties, this sanitizer does not allow any CSS. This creates a sanitizer that is easy to validate. These limitations are usually fine when sanitizing HTML from rendered markdown.

Example #

import 'package:sanitize_html/sanitize_html.dart' show sanitizeHtml;

void main() {
  print(sanitizeHtml('<a href="javascript:alert();">evil link</a>'));
  // Prints: <a>evil link</a>
  // Which is a lot less evil :)
}

v1.1.0 #

  • Add options allowElementId and allowClassName to allow specific element ids and class names.

v1.0.0 #

  • Initial release.

example/main.dart

// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

import 'package:sanitize_html/sanitize_html.dart' show sanitizeHtml;

void main() {
  print(sanitizeHtml('<a href="javascript:alert();">evil link</a>'));
  // Prints: <a>evil link</a>
}

Use this package as a library

1. Depend on it

Add this to your package's pubspec.yaml file:


dependencies:
  sanitize_html: ^1.1.0

2. Install it

You can install packages from the command line:

with pub:


$ pub get

with Flutter:


$ flutter packages get

Alternatively, your editor might support pub get or flutter packages get. Check the docs for your editor to learn more.

3. Import it

Now in your Dart code, you can use:


import 'package:sanitize_html/sanitize_html.dart';
  
Version Uploaded Documentation Archive
1.1.0 Apr 3, 2019 Go to the documentation of sanitize_html 1.1.0 Download sanitize_html 1.1.0 archive
1.0.0 Apr 2, 2019 Go to the documentation of sanitize_html 1.0.0 Download sanitize_html 1.0.0 archive
Popularity:
Describes how popular the package is relative to other packages. [more]
10
Health:
Code health derived from static analysis. [more]
100
Maintenance:
Reflects how tidy and up-to-date the package is. [more]
100
Overall:
Weighted score of the above. [more]
55
Learn more about scoring.

We analyzed this package on Apr 22, 2019, and provided a score, details, and suggestions below. Analysis was completed with status completed using:

  • Dart: 2.2.0
  • pana: 0.12.14

Platforms

Detected platforms: Flutter, web, other

No platform restriction found in primary library package:sanitize_html/sanitize_html.dart.

Dependencies

Package Constraint Resolved Available
Direct dependencies
Dart SDK >=2.2.0 <3.0.0
meta ^1.1.7 1.1.7
universal_html ^0.1.0 0.1.0
Transitive dependencies
args 1.5.1
charcode 1.1.2
csslib 0.14.6 0.15.0
html 0.13.4+2 0.14.0+1
logging 0.11.3+2
path 1.6.2
source_span 1.5.5
term_glyph 1.1.0
utf 0.9.0+5
Dev dependencies
pedantic ^1.4.0
test ^1.5.1