[Cryptography] filtering html

Ron Garret ron at flownet.com
Sun Oct 15 19:50:02 EDT 2017


On Oct 15, 2017, at 1:12 AM, James A. Donald <jamesd at echeque.com> wrote:

> An arbitrary and possibly hostile web page passes through proxy or a server, which makes a record of it.
> 
> Is there any easy way to filter that web page, stripping out javascript and links to outside images and such, so that record is guaranteed to display the same way, or closely equivalent way, as the original?
> 
> Seems to me this is a job for an html compiler, that you need to parse it, filter the parse tree, and then regenerate the vanilla html document from the parse tree.  Which sounds like a great deal of work.
> 
> But there are lots of services that allow one client to generate html that will be seen in their web page by another client.  Which gives Bob the potential to doing surprising things to Carol's subscription when Carol views content supplied by Bob, so this problem, or somewhat similar problems, must have been solved many times before, the problem of rendering html incapable of doing surprising things.

You want DOMPurify.

https://github.com/cure53/DOMPurify

rg



More information about the cryptography mailing list