html-sanitizing

What's wrong with this line of code? <%= submit_tag "Delete <i class='icon-check'></i>".html_safe, :disable_with => "Deleting", :class => "btn btn-danger"%> This literally produces: Evidently my html_safe call isn't doing anything. Background: I'm using Twitter Bootstrap as well as Font Awesome and I'm essentially trying to achieve a submit button with an icon inside of it. Noz To extend on Lukas' answer I needed a button tag rather than an input. This code produced the effect I was looking for: <button type="submit" class="btn btn-danger"> Delete <i class="icon-check"></i> </button> Which

I'm starting a project that will be public facing using asp.net mvc. I know there are about a billion php, python, and ruby html sanitizers out there, but does anyone have some pointers to anything good in .net? What are your experiences with what is out there? I know stackoverflow is a site done in asp.net that allows freeform HTML, what does it use? http://blog.stackoverflow.com/2008/06/safe-html-and-xss/ pattermeister HtmlSanitizer Source: https://github.com/mganss/HtmlSanitizer A fairly robust sanitizer. It understands and can clean inline styles, but doesn't have a parser that can deal

I'm using Jsoup with relaxed whitelist. It seems perfect but I would like to keep the embedded images tags like <img alt="" src="data:;base64 . Is there a way to modify the whitelist to accept also those img? Edit : If I use Whitelist.relaxed().addProtocols("img","src","data") then those img tags are not removed. But it accepts anything after "data:" and I would like just to keep them if src content starts with "data:;base64". Is it possible with jsoup? You can extend Whitelist and override isSafeAttribute to perform custom checks. As there's no way to extend Whitelist.relaxed() directly, you

Using Rails, I need to get a plain text and show it as HTML, but I don't want to use <pre> tag, as it changes the format. I needed to subclass HTML::WhiteListSanitizer to escape non whitelisted tags (by changing process_node ), monkey patch HTML::Node to don't downcase tags' names and monkey patch HTML::Text to apply <wbr /> word splitting: class Text2HTML def self.convert text text = simple_format text text = auto_link text, :all, :target => '_blank' text = NonHTMLEscaper.sanitize text text end # based on http://www.ruby-forum.com/topic/87492 def self.wbr_split str, len = 10 fragment = /.{#

I'm looking for a simple HTML sanitizer written in JavaScript. It doesn't need to be 100% XSS secure. I'm implementing Markdown and the WMD Markdown editor (The SO master branch from github) on my website. The problem is that the HTML shown in the live preview isn't filtered, like it here on SO. I am looking for a simple/quick HTML sanitizer written in JavaScript so that i can filter the contents of the preview window. No need for a full parser with complete XSS protection. I'm not sending the output back to the server. I'm sending the Markdown to the server where I use a proper, full HTML

Is there any HTML sanitizer or cleanup methods available in any JSF utilities kit or libraries like PrimeFaces/OmniFaces? I need to sanitize HTML input by user via p:editor and display safe HTML output using escape="true" , following the stackexchange style. Before displaying the HTML I'm thinking to store sanitized input data to the database, so that it is ready to safe use with escape="true" and XSS is not a danger. BalusC In order to achieve that, you basically need a standalone HTML parser . HTML parsing is rather complex and the task and responsibility of that is beyond the scope of JSF,