trusty (3) HTMLDocument.WhiteList.3kaya.gz

Provided by: kaya_0.4.4-6ubuntu3_amd64 bug

NAME
       HTMLDocument::WhiteList - Elements to allow in String->HTML conversion


SYNOPSIS
       HTMLDocument::WhiteList< >

     = UltraSafe()

     | InlineOnly(HTMLDocument::ConversionSafety sa)

     | AllElements(HTMLDocument::ConversionSafety sb)

     | Unchecked()

     | CustomWhitelist(Dict::Dict<String, [String]>  whitelist)


DESCRIPTION
       When converting from a String to HTML, rather than simply adding a String to an existing element where it
       will be escaped, the elements allowed in the conversion should depend on how trustworthy the  String  is.
       Generally,  any  unauthenticated  user-supplied  data  should  be  treated extremely cautiously, and even
       authenticated user-supplied data should be treated with  some  caution  in  case  the  authentication  is
       broken.

       Use    of   String   to   HTML   conversion   allows   potential   for   cross-site   scripting   attacks
       ⟨http://www.cert.org/archive/pdf/cross_site_scripting.pdf⟩ against your application,  especially  if  the
       allowed element list is generous.

     -  UltraSafe - removes all tags and attributes. This differs from adding the string directly as text, which
     escapes them. This conversion method is immune to cross-site scripting.

     - InlineOnly - allows only inline elements.

     - AllElements - allows inline and block elements.

     - Unchecked - allows all tags and attributes. Use this only  on  completely  trusted  data,  as  it  allows
     trivial cross-site scripting attacks if an attacker can control the String being converted.

     -  CustomWhitelist - create your own whitelist of elements. The whitelist is a Dict(3kaya) with the allowed
     elements as the key and the list of allowed attributes for that element as the value. The string  "*"  will
     match  any element as the key, or any attribute as an item in the value list, which is generally not a good
     idea for anything other than completely trusted data.

       For the InlineOnly and AllElements options, you  also  need  to  select  a  HTMLDocument.ConversionSafety
       (3kaya)


AUTHORS
       Kaya  standard  library  by  Edwin  Brady,  Chris  Morris  and  others  (kaya@kayalang.org).  For further
       information see http://kayalang.org/


LICENSE
       The Kaya standard library is free software; you can redistribute it and/or modify it under the  terms  of
       the  GNU  Lesser  General  Public  License  (version  2.1  or any later version) as published by the Free
       Software Foundation.


       HTMLDocument.ConversionSafety (3kaya)
       HTMLDocument.readFromString (3kaya)