This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Java HTML Sanitizer Project

From OWASP
(Redirected from OWASP Java HTML Sanitizer)
Jump to: navigation, search
OWASP Project Header.jpg

OWASP HTML Sanitizer Project

The OWASP HTML Sanitizer is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. The existing dependencies are on guava and JSR 305. The other jars are only needed by the test suite. The JSR 305 dependency is a compile-only dependency, only needed for annotations. This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review. A great place to get started using the OWASP Java HTML Sanitizer is here: https://github.com/OWASP/java-html-sanitizer/blob/master/docs/getting_started.md.

Benefits

  • Very easy to use. It allows for simple programmatic POSITIVE policy configuration (see below). No XML config.
  • Actively maintained by Mike Samuel from Google's AppSec team!
  • Passing 95+% of AntiSamy's unit tests plus many more.
  • This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.
  • Java 1.5+
  • Provides 4X the speed of AntiSamy sanitization in DOM mode and 2X the speed of AntiSamy in SAX mode.

Licensing

The OWASP HTML Sanitizer is free to use and is dual licensed under the Apache 2 License and the New BSD License.

What is this?

The OWASP HTML Sanitizer Projects provides Java based HTML sanitization of untrusted HTML!

Code Repo

OWASP HTML Sanitizer at GitHub

Email List

Questions? Please sign up for our Project Support List

Project Leaders

Author/Project Leader
Mike Samuel @

Project Manager
Jim Manico @

Related Projects

Ohloh

Quick Download

OWASP HTML Sanitizer at Maven Central

News and Events

  • [20 Feb 2018] Update 20180219.1 addresses iOS/MacOS "text bomb"
  • [3 April 2017] HTML5 Support Update
  • [28 June 2016] v20160628.1 Released
  • [14 Apr 2016] v20160413.1 Released
  • [1 May 2015] Move to GitHub
  • [2 July 2014] v239 Released
  • [3 Mar 2014] v226 Released
  • [5 Feb 2014] New Wiki
  • [4 Sept 2013] v209 Released

Change Log

For recent release notes, please visit the changelog on GitHub.

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Apache 2 License
Project Type Files CODE.jpg