org.owasp.html
Interface HtmlSanitizer.Policy

All Superinterfaces:

HtmlStreamEventReceiver

Enclosing class:

HtmlSanitizer

public static interface HtmlSanitizer.Policy
extends HtmlStreamEventReceiver

Receives events based on the HTML stream, and applies a policy to decide what HTML constructs to allow. Typically, implementations use an HtmlStreamRenderer to produce the sanitized output.

Implementations of this class are in the TCB.

openTag

void openTag(java.lang.String elementName,
             java.util.List<java.lang.String> attrs)

Called when an HTML tag like <foo bar=baz> is seen in the input.

Specified by:

openTag in interface HtmlStreamEventReceiver

Parameters:

elementName - a normalized (lower-case for non-namespaced names) element name.

attrs - a list of alternating attribute name and value pairs. For efficiency, this list may be mutated by this during this method call, but ownership reverts to the caller on method exit. The values are raw -- HTML entities have been decoded. Specifically, implementations are allowed to use a list iterator and remove all disallowed attributes, add necessary attributes, and then pass the list to an HtmlStreamRenderer.

closeTag

void closeTag(java.lang.String elementName)

Called when an HTML tag like </foo> is seen in the input.

Specified by:

closeTag in interface HtmlStreamEventReceiver

Parameters:

elementName - a normalized (lower-case for non-namespaced names) element name.

text

void text(java.lang.String textChunk)

Called when textual content is seen.

Specified by:

text in interface HtmlStreamEventReceiver

Parameters:

textChunk - raw content -- HTML entities have been decoded.