XssHtmlValidator | Viewer API Help

Validator which sanitizes HTML content to eliminate XSS (cross-site scripting) security risks. This validator has some special functionality surrounding the handling of URIs as they are sanitized:

When the HTML is sanitized, we place all URIs into an array, replacing them in the HTML with replacement tokens.
The URIs are then run through the Content Policy instance, which asynchronously determines the fate of each URI. At this point, the user might be prompted about allowing dangerous URIs. The Content Policy overwrites the URIs in-place.
The manipulated URIs are then injected back into the sanitized HTML, and in the correct locations (token replacement).
The final sanitized HTML string is returned in the ValidationResult.

Hierarchy

XssHtmlValidator

Implements

Validator<string>

Index

Constructors

constructor

Properties

Methods

Constructors

constructor

new XssHtmlValidator(options?: XssHtmlValidatorConstructorOptions): XssHtmlValidator

- Defined in Mapping.Infrastructure.ts:25255
Construct an XSS HTML Validator.

Parameters
- Optional options: XssHtmlValidatorConstructorOptions
Returns XssHtmlValidator

Properties

Protected _contentPolicy

_contentPolicy: ContentPolicy

Overriding content policy for this validator. Takes precedence over the content policy specified as context to validate().

Protected _tokenLeft

_tokenLeft: string

Protected _tokenLeftEscaped

_tokenLeftEscaped: string

Protected _tokenRight

_tokenRight: string

Protected _tokenRightEscaped

_tokenRightEscaped: string

Methods

Protected _applyUris

_applyUris(process: XssHtmlValidatorProcess): XssHtmlValidatorProcess

- Defined in Mapping.Infrastructure.ts:25287
Insert the rewritten URIs into the HTML (token replacement).

Parameters
- process: XssHtmlValidatorProcess
Returns XssHtmlValidatorProcess

Protected _escape

_escape(process: XssHtmlValidatorProcess): XssHtmlValidatorProcess

- Defined in Mapping.Infrastructure.ts:25273
Escape the HTML prior to the upcoming insertion of token replacements.

Parameters
- process: XssHtmlValidatorProcess
Returns XssHtmlValidatorProcess

Protected _runUrisThroughContentPolicy

_runUrisThroughContentPolicy(process: XssHtmlValidatorProcess): Promise<XssHtmlValidatorProcess>

- Defined in Mapping.Infrastructure.ts:25283
Pass URIs through the Content Policy.

Parameters
- process: XssHtmlValidatorProcess
Returns Promise<XssHtmlValidatorProcess>

Protected _sanitize

_sanitize(process: XssHtmlValidatorProcess, sanitizeOptions?: SanitizeOptions): XssHtmlValidatorProcess

- Defined in Mapping.Infrastructure.ts:25279
Sanitize the HTML. Compile all URIs into an array. Replace all URIs in the HTML with replacement tokens.

Parameters
- process: XssHtmlValidatorProcess
- Optional sanitizeOptions: SanitizeOptions
Returns XssHtmlValidatorProcess

Protected _tokenize

_tokenize(index: number): string

- Defined in Mapping.Infrastructure.ts:25295
Turn an index number into a replacement token.

Parameters
- index: number
Returns string

Protected _unescape

_unescape(process: XssHtmlValidatorProcess): XssHtmlValidatorProcess

- Defined in Mapping.Infrastructure.ts:25291
Unescape data after replacing tokens.

Parameters
- process: XssHtmlValidatorProcess
Returns XssHtmlValidatorProcess

validate

validate(html: string, context?: XssHtmlValidatorContext): Promise<ValidationResult<string>>

- Defined in Mapping.Infrastructure.ts:25269
Sanitize a string of HTML to eliminate XSS risks.
- Use FilterUtils to sanitize the HTML. Compile all URIs into an array, and replace them in the HTML with replacement tokens.
- Pass URIs through the Content Policy (which rewrites them), and insert them back into the HTML (token replacement).
- Return the sanitized HTML.
Parameters
- html: string
  
  The string HTML which needs to be sanitized.
- Optional context: XssHtmlValidatorContext
Returns Promise<ValidationResult<string>>

String of sanitized HTML.

Hierarchy

Implements

Index

Constructors

Properties

Methods

Constructors

constructor

Parameters

Optional options: XssHtmlValidatorConstructorOptions

Returns XssHtmlValidator

Properties

Protected _contentPolicy

Protected _tokenLeft

Protected _tokenLeftEscaped

Protected _tokenRight

Protected _tokenRightEscaped

Methods

Protected _applyUris

Parameters

process: XssHtmlValidatorProcess

Returns XssHtmlValidatorProcess

Protected _escape

Parameters

process: XssHtmlValidatorProcess

Returns XssHtmlValidatorProcess

Protected _runUrisThroughContentPolicy

Parameters

process: XssHtmlValidatorProcess

Returns Promise<XssHtmlValidatorProcess>

Protected _sanitize

Parameters

process: XssHtmlValidatorProcess

Optional sanitizeOptions: SanitizeOptions

Returns XssHtmlValidatorProcess

Protected _tokenize

Parameters

index: number

Returns string

Protected _unescape

Parameters

process: XssHtmlValidatorProcess

Returns XssHtmlValidatorProcess

validate

Parameters

html: string

Optional context: XssHtmlValidatorContext

Returns Promise<ValidationResult<string>>