I decided to tackle down "HTML Sanitization" and I ended doing a package, lol

The Larasane Package.

How did I came to this? In just one day? Well, I was wondering how to properly sanitize HTML, and the first hit on Google was HTML Purifier. After checking it out, I was burned out by the extensive configuration and whatever it needs to run, and updates are yearly, so I looked into others similar packages and I landed with Titouan Galopin's Sanitizer.

The package itself is easier to configure (it works around extensions, which are tag groups), and tags attributes can be further whitelisted (as it should be). It even has link protection and HTTPS enforcement. If no extension is set, all tags are wiped clean.

Now I can safely put a <textarea></textarea> and stop praying the WYSIWYG editor does the heavy lifting or removing sh*t manually on the backend.

πŸ‘︎ 43
πŸ“°︎ r/laravel
πŸ’¬︎
πŸ‘€︎ u/DarkGhostHunter
πŸ“…︎ Apr 14 2021
🚨︎ report
Google and Mozilla will bake HTML sanitization into their browsers portswigger.net/daily-swi…
πŸ‘︎ 2
πŸ“°︎ r/devopsish
πŸ’¬︎
πŸ‘€︎ u/oaf357
πŸ“…︎ May 05 2021
🚨︎ report
pybluemonday: Fast HTML Sanitization

Background

Sometimes in projects that have user generated content, you allow users to upload Markdown or HTML. This can be risky if you don't sanitize that content for malicious things like JavaScript.

While I was tackling this I found a few solutions like bleach, html_sanitizer, and lxml's Cleaner. These libraries all work but I found that their performance on complicated HTML snippets were lacking because they needed to rely on html5lib for parsing HTML5. And completely normal content would get mangled without using html5lib.

After struggling with some other ideas, I ended up creating Python bindings around the bluemonday library: https://github.com/ColdHeat/pybluemonday

Performance

By letting Go do the hard parsing and sanitization work, the performance gains are significant.

❯ python benchmarks.py
bleach (20000 sanitizations): 37.613802053
html_sanitizer (20000 sanitizations): 17.645683948
lxml Cleaner (20000 sanitizations): 10.500760227999997
pybluemonday (20000 sanitizations): 0.6188559669999876

Graph: https://github.com/ColdHeat/pybluemonday/raw/master/benchmarks.png

This library is still experimental but it passes some tests (likely more of them) from bluemonday and html_sanitizer.

Hoping this helps people out and also hoping to get some feedback about the overall approach to the bindings.

πŸ‘︎ 6
πŸ“°︎ r/Python
πŸ’¬︎
πŸ‘€︎ u/CodeKevin
πŸ“…︎ Dec 12 2020
🚨︎ report
pybluemonday: Fast HTML Sanitization github.com/ColdHeat/pyblu…
πŸ‘︎ 2
πŸ’¬︎
πŸ‘€︎ u/CodeKevin
πŸ“…︎ Dec 12 2020
🚨︎ report
Client-side vs Server-side HTML Sanitization

Hello everyone,

I've always tought that user input sanitization shoud be performed server-side. But then, I watched this video about Google Search XSS by LiveOverflow.

From 1:52, he explains that it should be performed client-side because it would be very hard to do it server-side.

But at 2:18, he says "Unfortunately, in the use-case where you want to sanitize HTML and allow certain tags but not others, you want to move the XSS prevention into JavaScript."

However, this only treats the case where you want to allow certain tags but not others, as in Gmail, for example (that example was mentionned at 1:22). But that's not the case for Google Search, right? So why would Google Search perform client-side sanitization, if they don't allow any html tags at all, and why couldn't they just encode every special character server-side? That would be basic, but sufficient protection as the search query is placed inside of the value attribute of an input tag.

Thanks in advance for your help!

πŸ‘︎ 23
πŸ“°︎ r/LiveOverflow
πŸ’¬︎
πŸ‘€︎ u/p_vit
πŸ“…︎ May 06 2020
🚨︎ report
Arithmetic Operators and Optional Chaining to bypass input validation, sanitization, WAF, and HTML encoding secjuice.com/xss-arithmet…
πŸ‘︎ 13
πŸ“°︎ r/xss
πŸ’¬︎
πŸ‘€︎ u/theMiddleBlue
πŸ“…︎ Aug 25 2020
🚨︎ report
XSS: Arithmetic Operators and Optional Chaining to bypass input validation, sanitization, WAF, and HTML encoding secjuice.com/xss-arithmet…
πŸ‘︎ 6
πŸ“°︎ r/netsec
πŸ’¬︎
πŸ‘€︎ u/theMiddleBlue
πŸ“…︎ Aug 23 2020
🚨︎ report
HTML sanitization bypass in Ruby Sanitize < 5.2.1 research.securitum.com/ht…
πŸ‘︎ 33
πŸ“°︎ r/netsec
πŸ’¬︎
πŸ‘€︎ u/albinowax
πŸ“…︎ Jul 22 2020
🚨︎ report
ammonia 1.0.0-rc1, an HTML sanitization crate github.com/notriddle/ammo…
πŸ‘︎ 36
πŸ“°︎ r/rust
πŸ’¬︎
πŸ‘€︎ u/WellMakeItSomehow
πŸ“…︎ Sep 26 2017
🚨︎ report
HTML sanitization - sanitize versus dompurify versus xss filters

I want to display untrusted HTML submitted by users. I want to avoid XSS.

It appears there are three solid libraries for this:

https://github.com/punkave/sanitize-html

https://github.com/cure53/DOMPurify

https://github.com/yahoo/xss-filters

Does anyone have any opinion on the benefits/downsides of each of these solutions?

πŸ‘︎ 7
πŸ“°︎ r/javascript
πŸ’¬︎
πŸ‘€︎ u/notconstructive
πŸ“…︎ Sep 27 2016
🚨︎ report
Gsoup is an HTML sanitization package built on top of x/net/html github.com/neocortical/gs…
πŸ‘︎ 10
πŸ“°︎ r/golang
πŸ’¬︎
πŸ‘€︎ u/nate510
πŸ“…︎ Jan 12 2015
🚨︎ report
UserHTML: a Python module for HTML sanitization code.google.com/p/userhtm…
πŸ‘︎ 30
πŸ“°︎ r/programming
πŸ’¬︎
πŸ‘€︎ u/eurleif
πŸ“…︎ Apr 14 2007
🚨︎ report
Yesod 0.5.1: HTML sanitization, generalized Hamlet and pluggable authentication docs.yesodweb.com/blog/ye…
πŸ‘︎ 8
πŸ“°︎ r/haskell
πŸ’¬︎
πŸ‘€︎ u/snoyberg
πŸ“…︎ Sep 28 2010
🚨︎ report
Overzealous HTML sanitization
πŸ‘︎ 3
πŸ“°︎ r/softwaregore
πŸ’¬︎
πŸ‘€︎ u/Blackshell
πŸ“…︎ Jan 31 2015
🚨︎ report
HTML Sanitization In Rails That Actually Works viget.com/extend/html-san…
πŸ‘︎ 4
πŸ“°︎ r/ruby
πŸ’¬︎
πŸ‘€︎ u/dce
πŸ“…︎ Nov 23 2009
🚨︎ report
πŸ‘︎ 13
πŸ“°︎ r/javascript
πŸ’¬︎
πŸ‘€︎ u/shgysk8zer0
πŸ“…︎ May 05 2021
🚨︎ report
πŸ‘︎ 4
πŸ“°︎ r/webdev
πŸ’¬︎
πŸ‘€︎ u/shgysk8zer0
πŸ“…︎ May 05 2021
🚨︎ report
πŸ‘︎ 2
πŸ’¬︎
πŸ‘€︎ u/PatientModBot
πŸ“…︎ May 06 2021
🚨︎ report
Advanced HTML sanitizing using custom scrubbers blog.bmonkeys.net/2021/ad…
πŸ‘︎ 5
πŸ“°︎ r/rails
πŸ’¬︎
πŸ‘€︎ u/2called_chaos
πŸ“…︎ Mar 07 2021
🚨︎ report
Prototype pollution – and bypassing client-side HTML sanitizers
πŸ‘︎ 66
πŸ’¬︎
πŸ‘€︎ u/AnotherGoogleUser
πŸ“…︎ Sep 09 2020
🚨︎ report
Prototype pollution – and bypassing client-side HTML sanitizers research.securitum.com/pr…
πŸ‘︎ 15
πŸ’¬︎
πŸ‘€︎ u/securitymb
πŸ“…︎ Aug 31 2020
🚨︎ report
Help Test Firefox’s built-in HTML Sanitizer to protect against UXSS bugs blog.mozilla.org/security…
πŸ‘︎ 66
πŸ“°︎ r/netsec
πŸ’¬︎
πŸ‘€︎ u/mozfreddyb
πŸ“…︎ Dec 02 2019
🚨︎ report
HTML sanitizer shard

https://shardbox.org/shards/sanitize

I've created a shard for sanitizing HTML (or XML) documents or fragments. If you have a web application that renders untrusted HTML you should make sure to have a sanitizer to prevent XSS attacks and other potentially harmfull doings. That includes rendering markdown.

Since this is a very typical application, there's a dedicated example how to integrate with Crystal's most popular Markdown shard `markd`.

I'm hoping to receive some reviews on this shard. This is quite a serious matter for production apps. So I'd appreciate anyone looking into it. Please try to break it =)

Besides having a solid filtering mechanism, a key component is to provide good defaults for common use cases. That's where the different [standard configurations](https://straight-shoota.github.io/sanitize/api/latest/Sanitize/Policy/HTMLSanitizer.html#configurations) come into play. Do they make sense for your use cases?

πŸ‘︎ 19
πŸ’¬︎
πŸ‘€︎ u/straight-shoota
πŸ“…︎ May 28 2020
🚨︎ report
GitHub - tgalopin/html-sanitizer: Sanitize untrustworthy HTML user input github.com/tgalopin/html-…
πŸ‘︎ 50
πŸ“°︎ r/PHP
πŸ’¬︎
πŸ‘€︎ u/tgalopin
πŸ“…︎ Nov 19 2018
🚨︎ report
Help Test Firefox’s built-in HTML Sanitizer to protect against UXSS bugs blog.mozilla.org/security…
πŸ‘︎ 20
πŸ“°︎ r/firefox
πŸ’¬︎
πŸ“…︎ Dec 02 2019
🚨︎ report
Need hints on Bypassing HTML sanitizing in XSS Reflected (GET).

Okay! Here's the thing. I am learning about XSS attacks using bWAPP bugy platform. now I understand how XSS Reflected attacks work and I also learned some techniques to bypass some filters. But when I tried those techniques on the XSS Reflected (GET) with high level security, my payload get sanitized such as in the picture below.

I tried a list of 14XX payload using the intruder but nothing worked for me. the symboles < > and " changes to tags ( I guess that's what they call them) &lt &gt. I think they call this HTML encoding. I hope my question is much detailed as
I wanted to be. Thank you.

https://preview.redd.it/tr77d50gum341.png?width=1319&format=png&auto=webp&s=900fa7c82984808ace2930cf0970bf812b68aa81

πŸ‘︎ 2
πŸ“°︎ r/LiveOverflow
πŸ’¬︎
πŸ‘€︎ u/aminequ
πŸ“…︎ Dec 09 2019
🚨︎ report
Help Test Firefox’s built-in HTML Sanitizer to protect against UXSS bugs blog.mozilla.org/security…
πŸ‘︎ 4
πŸ“°︎ r/Slackers
πŸ’¬︎
πŸ‘€︎ u/mozfreddyb
πŸ“…︎ Dec 02 2019
🚨︎ report
Improper Html Sanitation

View the below link in a normal web browser and Reddhub: http://www.reddit.com/r/programming/comments/1rn85e

Note Fringe_Worthy's comment.

πŸ‘︎ 8
πŸ“°︎ r/ReddHub
πŸ’¬︎
πŸ‘€︎ u/alleycat5
πŸ“…︎ Nov 29 2013
🚨︎ report
The new HTML sanitizer in Rails 4.2 blog.plataformatec.com.br…
πŸ‘︎ 3
πŸ“°︎ r/rails
πŸ’¬︎
πŸ‘€︎ u/hugobarauna
πŸ“…︎ Jul 25 2014
🚨︎ report
HTML Sanitizer for Elixir github.com/rrrene/html_sa…
πŸ‘︎ 6
πŸ“°︎ r/elixir
πŸ’¬︎
πŸ‘€︎ u/elixirstatus
πŸ“…︎ Aug 01 2015
🚨︎ report
Sanitize: A whitelist-based Ruby HTML sanitizer wonko.com/post/sanitize
πŸ‘︎ 9
πŸ“°︎ r/ruby
πŸ’¬︎
πŸ‘€︎ u/gst
πŸ“…︎ Jan 01 2009
🚨︎ report
Coffee on the Keyboard Β» Bleach, HTML sanitizer and auto-linker coffeeonthekeyboard.com/b…
πŸ‘︎ 3
πŸ“°︎ r/Python
πŸ’¬︎
πŸ‘€︎ u/number5
πŸ“…︎ Nov 08 2010
🚨︎ report
Beta 0.5.7 Release Notes

From Atropos:

Hi everyone I'm thrilled to release Foundry Virtual Tabletop Beta 0.5.7, a minor update which is a stable Beta release for all Patreon supporters and Foundry license owners. Most importantly, this release marks a huge milestone, this is the last Foundry VTT update for Patreon supporters. Every update after this one will require a purchased license key to obtain. For everyone who supported the Foundry project during Beta I would like to personally thank you, regardless of whether you supported for one month, or for 22. It's been an incredible journey to get to this point and I would not have made it here without the Foundry community. I can share a few basic data points which highlight what an incredible whirlwind journey it has been:

  • 22 months
  • 1,285 commits (1.94 per day)
  • 2,586 GitLab issues (3.33 per day)
  • 3,822 unique Patreon supporters

I find these numbers pretty hard to believe, so I feel very fortunate to have made it this far with so many of you involved!

Overview of Changes

This stable update includes all of the changes from the 0.5.6 Update, if you are updating directly from 0.5.5 or earlier I advise you to read through those update notes first. The theme for this update revolves around bug fixes, adjustments, and stability improvements for the 0.5.6 changes.

I'm using a new routine of hosting a Developer Q&A on Twitch to review and showcase the new features each update. Thanks to everyone who joined me for the this installment, you can find the recorded broadcast on Twitch if you would like to watch and learn about the adjustments.

About this Update

Please read the following important reminder about this update.

Many of you have arrived recently to the Foundry community you will

... keep reading on reddit ➑

πŸ‘︎ 43
πŸ“°︎ r/FoundryVTT
πŸ’¬︎
πŸ‘€︎ u/gerry3246
πŸ“…︎ May 17 2020
🚨︎ report
Sass Error? When pushing to Heroku

I cannot figure it out. any ideas?

git push heroku development:main                       
Enumerating objects: 903, done.
Counting objects: 100% (903/903), done.
Delta compression using up to 8 threads
Compressing objects: 100% (856/856), done.
Writing objects: 100% (903/903), 543.20 KiB | 5.72 MiB/s, done.
Total 903 (delta 539), reused 0 (delta 0), pack-reused 0
remote: Compressing source files... done.
remote: Building source:
remote: 
remote: -----&gt; Building on the Heroku-20 stack
remote: -----&gt; Determining which buildpack to use for this app
remote:  !     Warning: Multiple default buildpacks reported the ability to handle this app. The first buildpack in the list below will be used.
remote:                         Detected buildpacks: Ruby,Node.js
remote:                         See https://devcenter.heroku.com/articles/buildpacks#buildpack-detect-order
remote: -----&gt; Ruby app detected
remote: -----&gt; Installing bundler 2.2.21
remote: -----&gt; Removing BUNDLED WITH version in the Gemfile.lock
remote: -----&gt; Compiling Ruby/Rails
remote: -----&gt; Using Ruby version: ruby-2.7.2
remote: -----&gt; Installing dependencies using bundler 2.2.21
remote:        Running: BUNDLE_WITHOUT='development:test' BUNDLE_PATH=vendor/bundle BUNDLE_BIN=vendor/bundle/bin BUNDLE_DEPLOYMENT=1 bundle install -j4
remote:        Fetching gem metadata from https://rubygems.org/
remote:        Fetching gem metadata from https://rubygems.org/............
remote:        Fetching rake 13.0.6
remote:        Installing rake 13.0.6
remote:        Fetching minitest 5.14.4
remote:        Fetching zeitwerk 2.4.2
remote:        Fetching builder 3.2.4
remote:        Fetching concurrent-ruby 1.1.9
remote:        Installing zeitwerk 2.4.2
remote:        Installing builder 3.2.4
remote:        Installing minitest 5.14.4
remote:        Fetching erubi 1.10.0
remote:        Installing concurrent-ruby 1.1.9
remote:        Fetching mini_portile2 2.6.1
remote:        Installing erubi 1.10.0
remote:        Fetching racc 1.5.2
remote:        Fetching crass 1.0.6
remote:        Installing mini_portile2 2.6.1
remote:        Installing crass 1.0.6
remote:        Fetching rack 2.2.3
remote:        Fetching nio4r 2.5.8
remote:        Installing racc 1.5.2 with native extensions
remote:        Installing rack 2.2.3
... keep reading on reddit ➑

πŸ‘︎ 2
πŸ“°︎ r/rails
πŸ’¬︎
πŸ‘€︎ u/zilton7000
πŸ“…︎ Sep 29 2021
🚨︎ report
How to sanitize HTML strings with vanilla JS to reduce your risk of XSS attacks gomakethings.com/how-to-s…
πŸ‘︎ 30
πŸ“°︎ r/cybersecurity
πŸ’¬︎
πŸ‘€︎ u/speckz
πŸ“…︎ Aug 12 2021
🚨︎ report
Beta 0.5.2 Release Notes

Note: This release is available to Council Tier Patreon backers. A release for all Patreon backers will be along in a few days.

NOTE: This and future releases will REQUIRE node.js v12.x or higher!

(from Release Notes by /u/atropos_nyx)

Hi everyone, I'm extremely happy to share the Beta 0.5.2 update which is one of the biggest update versions ever clocking in with 89 issues closed in the GitLab milestone ranging encompassing new features, bug fixes, and API improvements. This is an even-numbered "major" update so it focuses heavily on adding new functionality and API changes to the software for testing by Alpha tier Patreon supporters.

The most significant improvements in this update version include a brand new permission control system, support for inline dice rolls, a built-in grid configuration tool, the ability to bulk upload assets, expanded Token features like light emission color, and many minor features.

Thank you all so very much for supporting my project and relying on Foundry Virtual Tabletop to bring us all together amidst health concerns and difficult times of social distancing. Please stay healthy, care for each other, and stay up to date on progress by following the project roadmap on GitLab: https://gitlab.com/foundrynet/foundryvtt/boards.

New Features

  • Beta 0.5.2 includes a major new feature of a configurable role permission system which allows you to fine-tune and customize which User roles are allowed to take which actions. Each permission describes an action that can be taken, and the permission to perform that action can be enabled or disabled for each User role level independently. The initial set of actions which can be configured by this system include the following:
    • Broadcast Audio - allows broadcasting audio when A/V is enabled
    • Broadcast Video - allows broadcasting video when A/V is enabled
    • Create Actor - allows creating new Actor entities in the world
    • Create Drawing - allows creation of Drawings using the drawing tools
    • Create Item - allows creation of Item entities within the world
    • Create Token - al
... keep reading on reddit ➑

πŸ‘︎ 23
πŸ“°︎ r/FoundryVTT
πŸ’¬︎
πŸ‘€︎ u/gerry3246
πŸ“…︎ Mar 26 2020
🚨︎ report
PHP beginner: what's the best way to sanitize text when fetched from the database? Using both strip_taps and htmlspecialchars? I want to sanitize the text but make sure some tags are not turned into HTML entities like <a> and <li>

Hi

I'm a PHP beginner and I'm making a small system as a practice that fetches some texts from the SQL database. Some of the texts have HTML tags inside them like a, li, ul, strong, ... but I want to make sure that some dangerous ones like <script> are removed or turned into HTML entities so they are harmless.

What's the best way of sanitizing text when you want certain tags to be kept unchanged? A combination of the two, or just one (which one)?

Thanks

πŸ‘︎ 4
πŸ“°︎ r/PHPhelp
πŸ’¬︎
πŸ‘€︎ u/ashkanahmadi
πŸ“…︎ Jun 28 2021
🚨︎ report
$BANT market liking the news! Bantec Begins Selling Bantec Sanitizing Franchises This Week https://finance.yahoo.com/news/bantec-begins-selling-bantec-sanitizing-140000858.html?soc_src=social-sh&soc_trk=tw&tsrc=twtr via @Yahoo
πŸ‘︎ 3
πŸ“°︎ r/10xPennyStocks
πŸ’¬︎
πŸ‘€︎ u/stocktime6
πŸ“…︎ Aug 05 2021
🚨︎ report

Please note that this site uses cookies to personalise content and adverts, to provide social media features, and to analyse web traffic. Click here for more information.