1HTMLDocument.WhiteList(3kaya)Kaya module referenceHTMLDocument.WhiteList(3kaya)
2
3
4

NAME

6       HTMLDocument::WhiteList - Elements to allow in String->HTML conversion
7

SYNOPSIS

9       HTMLDocument::WhiteList< >
10
11
12     = UltraSafe()
13
14
15     | InlineOnly(HTMLDocument::ConversionSafety sa)
16
17
18     | AllElements(HTMLDocument::ConversionSafety sb)
19
20
21     | Unchecked()
22
23
24     | CustomWhitelist(Dict::Dict<String, [String]>  whitelist)
25

DESCRIPTION

27       When  converting  from  a  String  to HTML, rather than simply adding a
28       String to an existing element where it will be  escaped,  the  elements
29       allowed  in  the conversion should depend on how trustworthy the String
30       is. Generally, any unauthenticated user-supplied data should be treated
31       extremely  cautiously, and even authenticated user-supplied data should
32       be treated with some caution in case the authentication is broken.
33
34       Use of String  to  HTML  conversion  allows  potential  for  cross-site
35       scripting                                                       attacks
36http://www.cert.org/archive/pdf/cross_site_scripting.pdf⟩ against your
37       application, especially if the allowed element list is generous.
38
39
40     -  UltraSafe  - removes all tags and attributes. This differs from adding
41     the string directly as text, which escapes them. This  conversion  method
42     is immune to cross-site scripting.
43
44
45     - InlineOnly - allows only inline elements.
46
47
48     - AllElements - allows inline and block elements.
49
50
51     - Unchecked - allows all tags and attributes. Use this only on completely
52     trusted data, as it allows trivial cross-site  scripting  attacks  if  an
53     attacker can control the String being converted.
54
55
56     -  CustomWhitelist - create your own whitelist of elements. The whitelist
57     is a Dict(3kaya) with the allowed elements as the key  and  the  list  of
58     allowed  attributes  for  that  element as the value. The string "*" will
59     match any element as the key, or any attribute as an item  in  the  value
60     list,  which  is  generally  not a good idea for anything other than com‐
61     pletely trusted data.
62
63       For the InlineOnly and AllElements options, you also need to  select  a
64       HTMLDocument.ConversionSafety (3kaya)
65
66

AUTHORS

68       Kaya   standard  library  by  Edwin  Brady,  Chris  Morris  and  others
69       (kaya@kayalang.org). For further information see http://kayalang.org/
70

LICENSE

72       The Kaya standard library is free software;  you  can  redistribute  it
73       and/or  modify  it  under  the  terms  of the GNU Lesser General Public
74       License (version 2.1 or any later version) as  published  by  the  Free
75       Software Foundation.
76
78       HTMLDocument.ConversionSafety (3kaya)
79       HTMLDocument.readFromString (3kaya)
80
81
82
83Kaya                             December 2010   HTMLDocument.WhiteList(3kaya)
Impressum