Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   31170 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

Scrubber(3)	      User Contributed Perl Documentation	   Scrubber(3)

NAME
       HTML::Scrubber - Perl extension for scrubbing/sanitizing html

SYNOPSIS
	   #!/usr/bin/perl -w
	   use HTML::Scrubber;
	   use strict;
										   #
	   my $html = q[
	   <style type="text/css"> BAD { background: #666; color: #666;} </style>
	   <script language="javascript"> alert("Hello, I am EVIL!");	 </script>
	   <HR>
	       a   => <a href=1>link </a>
	       br  => <br>
	       b   => <B> bold </B>
	       u   => <U> UNDERLINE </U>
	   ];
										   #
	   my $scrubber = HTML::Scrubber->new( allow => [ qw[ p b i u hr br ] ] ); #
										   #
	   print $scrubber->scrub($html);					   #
										   #
	   $scrubber->deny( qw[ p b i u hr br ] );				   #
										   #
	   print $scrubber->scrub($html);					   #
										   #

DESCRIPTION
       If you wanna "scrub" or "sanitize" html input in a reliable an flexible
       fashion, then this module is for you.

       I wasn't satisfied with HTML::Sanitizer because it is based on
       HTML::TreeBuilder, so I thought I'd write something similar that works
       directly with HTML::Parser.

METHODS
       First a note on documentation: just study the EXAMPLE below.  It's all
       the documentation you could need

       Also, be sure to read all the comments as well as How does it work?.

       If you're new to perl, good luck to you.

   comment
	   warn "comments are  ", $p->comment ? 'allowed' : 'not allowed';
	   $p->comment(0);  # off by default

   process
	   warn "process instructions are  ", $p->process ? 'allowed' : 'not allowed';
	   $p->process(0);  # off by default

   script
	   warn "script tags (and everything in between) are supressed"
	       if $p->script;	   # off by default
	   $p->script( 0 || 1 );

       ** Please note that this is implemented using HTML::Parser's
       ignore_elements function, so if "script" is set to true, all script
       tags encountered will be validated like all other tags.

   style
	   warn "style tags (and everything in between) are supressed"
	       if $p->style;	   # off by default
	   $p->style( 0 || 1 );

       ** Please note that this is implemented using HTML::Parser's
       ignore_elements function, so if "style" is set to true, all style tags
       encountered will be validated like all other tags.

   allow
	   $p->allow(qw[ t a g s ]);

   deny
	   $p->deny(qw[ t a g s ]);

   rules
	   $p->rules(
	       img => {
		   src => qr{^(?!http://)}i, # only relative image links allowed
		   alt => 1,		     # alt attribute allowed
		   '*' => 0,		     # deny all other attributes
	       },
	       b => 1,
	       ...
	   );

   default
	   print "default is ", $p->default();
	   $p->default(1);	# allow tags by default
	   $p->default(
	       undef,		# don't change
	       {		# default attribute rules
		   '*' => 1,	# allow attributes by default
	       }
	   );

   scrub_file
	   $html = $scrubber->scrub_file('foo.html');	## returns giant string
	   die "Eeek $!" unless defined $html;	## opening foo.html may have failed
	   $scrubber->scrub_file('foo.html', 'new.html') or die "Eeek $!";
	   $scrubber->scrub_file('foo.html', *STDOUT)
	       or die "Eeek $!"
		   if fileno STDOUT;

   scrub
	   print $scrubber->scrub($html);  ## returns giant string
	   $scrubber->scrub($html, 'new.html') or die "Eeek $!";
	   $scrubber->scrub($html', *STDOUT)
	       or die "Eeek $!"
		   if fileno STDOUT;

How does it work?
       When a tag is encountered, HTML::Scrubber allows/denies the tag using
       the explicit rule if one exists.

       If no explicit rule exists, Scrubber applies the default rule.

       If an explicit rule exists, but it's a simple rule(1), the default
       attribute rule is applied.

   EXAMPLE
	   #!/usr/bin/perl -w
	   use HTML::Scrubber;
	   use strict;
										   #
	   my @allow = qw[ br hr b a ];
										   #
	   my @rules = (
	       script => 0,
	       img => {
		   src => qr{^(?!http://)}i, # only relative image links allowed
		   alt => 1,		     # alt attribute allowed
		   '*' => 0,		     # deny all other attributes
	       },
	   );
										   #
	   my @default = (
	       0   =>	 # default rule, deny all tags
	       {
		   '*'		 => 1, # default rule, allow all attributes
		   'href'	 => qr{^(?!(?:java)?script)}i,
		   'src'	 => qr{^(?!(?:java)?script)}i,
	   #   If your perl doesn't have qr
	   #   just use a string with length greater than 1
		   'cite'	 => '(?i-xsm:^(?!(?:java)?script))',
		   'language'	 => 0,
		   'name'	 => 1, # could be sneaky, but hey ;)
		   'onblur'	 => 0,
		   'onchange'	 => 0,
		   'onclick'	 => 0,
		   'ondblclick'	 => 0,
		   'onerror'	 => 0,
		   'onfocus'	 => 0,
		   'onkeydown'	 => 0,
		   'onkeypress'	 => 0,
		   'onkeyup'	 => 0,
		   'onload'	 => 0,
		   'onmousedown' => 0,
		   'onmousemove' => 0,
		   'onmouseout'	 => 0,
		   'onmouseover' => 0,
		   'onmouseup'	 => 0,
		   'onreset'	 => 0,
		   'onselect'	 => 0,
		   'onsubmit'	 => 0,
		   'onunload'	 => 0,
		   'src'	 => 0,
		   'type'	 => 0,
	       }
	   );
										   #
	   my $scrubber = HTML::Scrubber->new();
	   $scrubber->allow( @allow );
	   $scrubber->rules( @rules ); # key/value pairs
	   $scrubber->default( @default );
	   $scrubber->comment(1); # 1 allow, 0 deny
										   #
	   ## preferred way to create the same object
	   $scrubber = HTML::Scrubber->new(
	       allow   => \@allow,
	       rules   => \@rules,
	       default => \@default,
	       comment => 1,
	       process => 0,
	   );
										   #
	   require Data::Dumper,die Data::Dumper::Dumper($scrubber) if @ARGV;
										   #
	   my $it = q[
	       <?php   echo(" EVIL EVIL EVIL "); ?>    <!-- asdf -->
	       <hr>
	       <I FAKE="attribute" > IN ITALICS WITH FAKE="attribute" </I><br>
	       <B> IN BOLD </B><br>
	       <A NAME="evil">
		   <A HREF="javascript:alert('die die die');">HREF=JAVA <!></A>
		   <br>
		   <A HREF="image/bigone.jpg" ONMOUSEOVER="alert('die die die');">
		       <IMG SRC="image/smallone.jpg" ALT="ONMOUSEOVER JAVASCRIPT">
		   </A>
	       </A> <br>
	   ];
										   #
	   print "#original text",$/, $it, $/;
	   print
	       "#scrubbed text (default ",
	       $scrubber->default(), # no arguments returns the current value
	       " comment ",
	       $scrubber->comment(),
	       " process ",
	       $scrubber->process(),
	       " )",
	       $/,
	       $scrubber->scrub($it),
	       $/;
										   #
	   $scrubber->default(1); # allow all tags by default
	   $scrubber->comment(0); # deny comments
										   #
	   print
	       "#scrubbed text (default ",
	       $scrubber->default(),
	       " comment ",
	       $scrubber->comment(),
	       " process ",
	       $scrubber->process(),
	       " )",
	       $/,
	       $scrubber->scrub($it),
	       $/;
										   #
	   $scrubber->process(1);	 # allow process instructions (dangerous)
	   $default[0] = 1;		 # allow all tags by default
	   $default[1]->{'*'} = 0;	 # deny all attributes by default
	   $scrubber->default(@default); # set the default again
										   #
	   print
	       "#scrubbed text (default ",
	       $scrubber->default(),
	       " comment ",
	       $scrubber->comment(),
	       " process ",
	       $scrubber->process(),
	       " )",
	       $/,
	       $scrubber->scrub($it),
	       $/;

   FUN
       If you have Test::Inline (and you've installed HTML::Scrubber), try

	   pod2test Scrubber.pm >scrubber.t
	   perl scrubber.t

SEE ALSO
       HTML::Parser, Test::Inline, HTML::Sanitizer.

BUGS/SUGGESTIONS/ETC
       Please use https://rt.cpan.org/NoAuth/Bugs.html?Dist=HTML-Scrubber to
       report bugs/additions/etc or send mail to
       <bug-HTML-Scrubber#rt.cpan.org>.

AUTHOR
       D. H. (PodMaster)

LICENSE
       Copyright (c) 2003-2004 by D.H. (PodMaster). All rights reserved.

       This module is free software; you can redistribute it and/or modify it
       under the same terms as Perl itself.  The LICENSE file contains the
       full text of the license.

perl v5.14.1			  2011-06-20			   Scrubber(3)

Vote for polarhome