<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Sanitization — feedparser 5.1.3 documentation</title> <link rel="stylesheet" href="_static/default.css" type="text/css" /> <link rel="stylesheet" href="_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="_static/feedparser.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '', VERSION: '5.1.3', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="_static/jquery.js"></script> <script type="text/javascript" src="_static/underscore.js"></script> <script type="text/javascript" src="_static/doctools.js"></script> <link rel="top" title="feedparser 5.1.3 documentation" href="index.html" /> <link rel="up" title="Advanced Features" href="advanced.html" /> <link rel="next" title="Content Normalization" href="content-normalization.html" /> <link rel="prev" title="Date Parsing" href="date-parsing.html" /> </head> <body> <div class="related"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="genindex.html" title="General Index" accesskey="I">index</a></li> <li class="right" > <a href="content-normalization.html" title="Content Normalization" accesskey="N">next</a> |</li> <li class="right" > <a href="date-parsing.html" title="Date Parsing" accesskey="P">previous</a> |</li> <li><a href="index.html">feedparser 5.1.3 documentation</a> »</li> <li><a href="advanced.html" accesskey="U">Advanced Features</a> »</li> </ul> </div> <div class="document"> <div class="documentwrapper"> <div class="bodywrapper"> <div class="body"> <div class="section" id="sanitization"> <span id="advanced-sanitization"></span><h1>Sanitization<a class="headerlink" href="#sanitization" title="Permalink to this headline">¶</a></h1> <p>Most feeds embed <abbr title="HyperText Markup Language">HTML</abbr> markup within feed elements. Some feeds even embed other types of markup, such as <abbr title="Scalable Vector Graphics">SVG</abbr> or <abbr title="Mathematical Markup Language">MathML</abbr>. Since many feed aggregators use a web browser (or browser component) to display content, <strong class="program">Universal Feed Parser</strong> sanitizes embedded markup to remove things that could pose security risks.</p> <p>These elements are sanitized by default:</p> <ul class="simple"> <li><a class="reference internal" href="reference-entry-content.html#reference-entry-content"><em>entries[i].content</em></a></li> <li><a class="reference internal" href="reference-entry-summary.html#reference-entry-summary"><em>entries[i].summary</em></a></li> <li><a class="reference internal" href="reference-entry-title.html#reference-entry-title"><em>entries[i].title</em></a></li> <li><a class="reference internal" href="reference-feed-info.html#reference-feed-info"><em>feed.info</em></a></li> <li><a class="reference internal" href="reference-feed-rights.html#reference-feed-rights"><em>feed.rights</em></a></li> <li><a class="reference internal" href="reference-feed-subtitle.html#reference-feed-subtitle"><em>feed.subtitle</em></a></li> <li><a class="reference internal" href="reference-feed-title.html#reference-feed-title"><em>feed.title</em></a></li> </ul> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">If the content is declared to be (or is determined to be) <em class="mimetype">text/plain</em>, it will not be sanitized. This is to avoid data loss. It is recommended that you check the content type in e.g. <tt class="xref py py-attr docutils literal"><span class="pre">entries[i].summary_detail.type</span></tt>. If it is <em class="mimetype">text/plain</em> then it has not been sanitized (and you should perform HTML escaping before rendering the content).</p> </div> <div class="section" id="html-sanitization"> <span id="advanced-sanitization-html"></span><h2><abbr title="HyperText Markup Language">HTML</abbr> Sanitization<a class="headerlink" href="#html-sanitization" title="Permalink to this headline">¶</a></h2> <p>The following <abbr title="HyperText Markup Language">HTML</abbr> elements are allowed by default (all others are stripped):</p> <table class="hlist"><tr><td><ul class="simple"> <li>a</li> <li>abbr</li> <li>acronym</li> <li>address</li> <li>area</li> <li>article</li> <li>aside</li> <li>audio</li> <li>b</li> <li>big</li> <li>blockquote</li> <li>br</li> <li>button</li> <li>canvas</li> <li>caption</li> <li>center</li> <li>cite</li> <li>code</li> <li>col</li> <li>colgroup</li> <li>command</li> <li>datagrid</li> <li>datalist</li> <li>dd</li> <li>del</li> <li>details</li> <li>dfn</li> <li>dialog</li> <li>dir</li> <li>div</li> <li>dl</li> <li>dt</li> <li>em</li> </ul> </td><td><ul class="simple"> <li>event-source</li> <li>fieldset</li> <li>figure</li> <li>font</li> <li>footer</li> <li>form</li> <li>h1</li> <li>h2</li> <li>h3</li> <li>h4</li> <li>h5</li> <li>h6</li> <li>header</li> <li>hr</li> <li>i</li> <li>img</li> <li>input</li> <li>ins</li> <li>kbd</li> <li>keygen</li> <li>label</li> <li>legend</li> <li>li</li> <li>m</li> <li>map</li> <li>menu</li> <li>meter</li> <li>multicol</li> <li>nav</li> <li>nextid</li> <li>noscript</li> <li>ol</li> <li>optgroup</li> </ul> </td><td><ul class="simple"> <li>option</li> <li>output</li> <li>p</li> <li>pre</li> <li>progress</li> <li>q</li> <li>s</li> <li>samp</li> <li>section</li> <li>select</li> <li>small</li> <li>sound</li> <li>source</li> <li>spacer</li> <li>span</li> <li>strike</li> <li>strong</li> <li>sub</li> <li>sup</li> <li>table</li> <li>tbody</li> <li>td</li> <li>textarea</li> <li>tfoot</li> <li>th</li> <li>thead</li> <li>time</li> <li>tr</li> <li>tt</li> <li>u</li> <li>ul</li> <li>var</li> <li>video</li> </ul> </td></tr></table> <p>The following <abbr title="HyperText Markup Language">HTML</abbr> attributes are allowed by default (all others are stripped):</p> <table class="hlist"><tr><td><ul class="simple"> <li>abbr</li> <li>accept</li> <li>accept-charset</li> <li>accesskey</li> <li>action</li> <li>align</li> <li>alt</li> <li>autocomplete</li> <li>autofocus</li> <li>autoplay</li> <li>axis</li> <li>background</li> <li>balance</li> <li>bgcolor</li> <li>bgproperties</li> <li>border</li> <li>bordercolor</li> <li>bordercolordark</li> <li>bordercolorlight</li> <li>bottompadding</li> <li>cellpadding</li> <li>cellspacing</li> <li>ch</li> <li>challenge</li> <li>char</li> <li>charoff</li> <li>charset</li> <li>checked</li> <li>choff</li> <li>cite</li> <li>class</li> <li>clear</li> <li>color</li> <li>cols</li> <li>colspan</li> <li>compact</li> <li>contenteditable</li> <li>coords</li> <li>data</li> <li>datafld</li> <li>datapagesize</li> <li>datasrc</li> <li>datetime</li> <li>default</li> <li>delay</li> <li>dir</li> <li>disabled</li> </ul> </td><td><ul class="simple"> <li>draggable</li> <li>dynsrc</li> <li>enctype</li> <li>end</li> <li>face</li> <li>for</li> <li>form</li> <li>frame</li> <li>galleryimg</li> <li>gutter</li> <li>headers</li> <li>height</li> <li>hidden</li> <li>hidefocus</li> <li>high</li> <li>href</li> <li>hreflang</li> <li>hspace</li> <li>icon</li> <li>id</li> <li>inputmode</li> <li>ismap</li> <li>keytype</li> <li>label</li> <li>lang</li> <li>leftspacing</li> <li>list</li> <li>longdesc</li> <li>loop</li> <li>loopcount</li> <li>loopend</li> <li>loopstart</li> <li>low</li> <li>lowsrc</li> <li>max</li> <li>maxlength</li> <li>media</li> <li>method</li> <li>min</li> <li>multiple</li> <li>name</li> <li>nohref</li> <li>noshade</li> <li>nowrap</li> <li>open</li> <li>optimum</li> <li>pattern</li> </ul> </td><td><ul class="simple"> <li>ping</li> <li>point-size</li> <li>poster</li> <li>pqg</li> <li>preload</li> <li>prompt</li> <li>radiogroup</li> <li>readonly</li> <li>rel</li> <li>repeat-max</li> <li>repeat-min</li> <li>replace</li> <li>required</li> <li>rev</li> <li>rightspacing</li> <li>rows</li> <li>rowspan</li> <li>rules</li> <li>scope</li> <li>selected</li> <li>shape</li> <li>size</li> <li>span</li> <li>src</li> <li>start</li> <li>step</li> <li>summary</li> <li>suppress</li> <li>tabindex</li> <li>target</li> <li>template</li> <li>title</li> <li>toppadding</li> <li>type</li> <li>unselectable</li> <li>urn</li> <li>usemap</li> <li>valign</li> <li>value</li> <li>variable</li> <li>volume</li> <li>vrml</li> <li>vspace</li> <li>width</li> <li>wrap</li> <li>xml:lang</li> </ul> </td></tr></table> </div> <div class="section" id="svg-sanitization"> <span id="advanced-sanitization-svg"></span><h2><abbr title="Scalable Vector Graphics">SVG</abbr> Sanitization<a class="headerlink" href="#svg-sanitization" title="Permalink to this headline">¶</a></h2> <p>The following SVG elements are allowed by default (all others are stripped):</p> <table class="hlist"><tr><td><ul class="simple"> <li>a</li> <li>animate</li> <li>animateColor</li> <li>animateMotion</li> <li>animateTransform</li> <li>circle</li> <li>defs</li> <li>desc</li> <li>ellipse</li> <li>font-face</li> <li>font-face-name</li> <li>font-face-src</li> </ul> </td><td><ul class="simple"> <li>foreignObject</li> <li>g</li> <li>glyph</li> <li>hkern</li> <li>line</li> <li>linearGradient</li> <li>marker</li> <li>metadata</li> <li>missing-glyph</li> <li>mpath</li> <li>path</li> <li>polygon</li> </ul> </td><td><ul class="simple"> <li>polyline</li> <li>radialGradient</li> <li>rect</li> <li>set</li> <li>stop</li> <li>svg</li> <li>switch</li> <li>text</li> <li>title</li> <li>tspan</li> <li>use</li> </ul> </td></tr></table> <p>The following <abbr title="Scalable Vector Graphics">SVG</abbr> attributes are allowed by default (all others are stripped):</p> <table class="hlist"><tr><td><ul class="simple"> <li>accent-height</li> <li>accumulate</li> <li>additive</li> <li>alphabetic</li> <li>arabic-form</li> <li>ascent</li> <li>attributeName</li> <li>attributeType</li> <li>baseProfile</li> <li>bbox</li> <li>begin</li> <li>by</li> <li>calcMode</li> <li>cap-height</li> <li>class</li> <li>color</li> <li>color-rendering</li> <li>content</li> <li>cx</li> <li>cy</li> <li>d</li> <li>descent</li> <li>display</li> <li>dur</li> <li>dx</li> <li>dy</li> <li>end</li> <li>fill</li> <li>fill-opacity</li> <li>fill-rule</li> <li>font-family</li> <li>font-size</li> <li>font-stretch</li> <li>font-style</li> <li>font-variant</li> <li>font-weight</li> <li>from</li> <li>fx</li> <li>fy</li> <li>g1</li> <li>g2</li> <li>glyph-name</li> <li>gradientUnits</li> <li>hanging</li> <li>height</li> <li>horiz-adv-x</li> <li>horiz-origin-x</li> </ul> </td><td><ul class="simple"> <li>id</li> <li>ideographic</li> <li>k</li> <li>keyPoints</li> <li>keySplines</li> <li>keyTimes</li> <li>lang</li> <li>marker-end</li> <li>marker-mid</li> <li>marker-start</li> <li>markerHeight</li> <li>markerUnits</li> <li>markerWidth</li> <li>mathematical</li> <li>max</li> <li>min</li> <li>name</li> <li>offset</li> <li>opacity</li> <li>orient</li> <li>origin</li> <li>overline-position</li> <li>overline-thickness</li> <li>panose-1</li> <li>path</li> <li>pathLength</li> <li>points</li> <li>preserveAspectRatio</li> <li>r</li> <li>refX</li> <li>refY</li> <li>repeatCount</li> <li>repeatDur</li> <li>requiredExtensions</li> <li>requiredFeatures</li> <li>restart</li> <li>rotate</li> <li>rx</li> <li>ry</li> <li>slope</li> <li>stemh</li> <li>stemv</li> <li>stop-color</li> <li>stop-opacity</li> <li>strikethrough-position</li> <li>strikethrough-thickness</li> <li>stroke</li> </ul> </td><td><ul class="simple"> <li>stroke-dasharray</li> <li>stroke-dashoffset</li> <li>stroke-linecap</li> <li>stroke-linejoin</li> <li>stroke-miterlimit</li> <li>stroke-opacity</li> <li>stroke-width</li> <li>systemLanguage</li> <li>target</li> <li>text-anchor</li> <li>to</li> <li>transform</li> <li>type</li> <li>u1</li> <li>u2</li> <li>underline-position</li> <li>underline-thickness</li> <li>unicode</li> <li>unicode-range</li> <li>units-per-em</li> <li>values</li> <li>version</li> <li>viewBox</li> <li>visibility</li> <li>width</li> <li>widths</li> <li>x</li> <li>x-height</li> <li>x1</li> <li>x2</li> <li>xlink:actuate</li> <li>xlink:arcrole</li> <li>xlink:href</li> <li>xlink:role</li> <li>xlink:show</li> <li>xlink:title</li> <li>xlink:type</li> <li>xml:base</li> <li>xml:lang</li> <li>xml:space</li> <li>xmlns</li> <li>xmlns:xlink</li> <li>y</li> <li>y1</li> <li>y2</li> <li>zoomAndPan</li> </ul> </td></tr></table> </div> <div class="section" id="mathml-sanitization"> <span id="advanced-sanitization-mathml"></span><h2><abbr title="Mathematical Markup Language">MathML</abbr> Sanitization<a class="headerlink" href="#mathml-sanitization" title="Permalink to this headline">¶</a></h2> <p>The following <abbr title="Mathematical Markup Language">MathML</abbr> elements are allowed by default (all others are stripped):</p> <table class="hlist"><tr><td><ul class="simple"> <li>annotation</li> <li>annotation-xml</li> <li>maction</li> <li>math</li> <li>merror</li> <li>mfenced</li> <li>mfrac</li> <li>mi</li> <li>mmultiscripts</li> <li>mn</li> <li>mo</li> </ul> </td><td><ul class="simple"> <li>mover</li> <li>mpadded</li> <li>mphantom</li> <li>mprescripts</li> <li>mroot</li> <li>mrow</li> <li>mspace</li> <li>msqrt</li> <li>mstyle</li> <li>msub</li> </ul> </td><td><ul class="simple"> <li>msubsup</li> <li>msup</li> <li>mtable</li> <li>mtd</li> <li>mtext</li> <li>mtr</li> <li>munder</li> <li>munderover</li> <li>none</li> <li>semantics</li> </ul> </td></tr></table> <p>The following <abbr title="Mathematical Markup Language">MathML</abbr> attributes are allowed by default (all others are stripped):</p> <table class="hlist"><tr><td><ul class="simple"> <li>actiontype</li> <li>align</li> <li>close</li> <li>columnalign</li> <li>columnlines</li> <li>columnspacing</li> <li>columnspan</li> <li>depth</li> <li>display</li> <li>displaystyle</li> <li>encoding</li> <li>equalcolumns</li> <li>equalrows</li> <li>fence</li> <li>fontstyle</li> </ul> </td><td><ul class="simple"> <li>fontweight</li> <li>frame</li> <li>height</li> <li>linethickness</li> <li>lspace</li> <li>mathbackground</li> <li>mathcolor</li> <li>mathvariant</li> <li>maxsize</li> <li>minsize</li> <li>open</li> <li>other</li> <li>rowalign</li> <li>rowlines</li> </ul> </td><td><ul class="simple"> <li>rowspacing</li> <li>rowspan</li> <li>rspace</li> <li>scriptlevel</li> <li>selection</li> <li>separator</li> <li>separators</li> <li>stretchy</li> <li>width</li> <li>xlink:href</li> <li>xlink:show</li> <li>xlink:type</li> <li>xmlns</li> <li>xmlns:xlink</li> </ul> </td></tr></table> </div> <div class="section" id="css-sanitization"> <span id="advanced-sanitization-css"></span><h2><abbr title="Cascading Style Sheets">CSS</abbr> Sanitization<a class="headerlink" href="#css-sanitization" title="Permalink to this headline">¶</a></h2> <p>The following <abbr title="Cascading Style Sheets">CSS</abbr> properties are allowed by default in style attributes (all others are stripped):</p> <table class="hlist"><tr><td><ul class="simple"> <li>azimuth</li> <li>background-color</li> <li>border-bottom-color</li> <li>border-collapse</li> <li>border-color</li> <li>border-left-color</li> <li>border-right-color</li> <li>border-top-color</li> <li>clear</li> <li>color</li> <li>cursor</li> <li>direction</li> <li>display</li> <li>elevation</li> <li>float</li> <li>font</li> </ul> </td><td><ul class="simple"> <li>font-family</li> <li>font-size</li> <li>font-style</li> <li>font-variant</li> <li>font-weight</li> <li>height</li> <li>letter-spacing</li> <li>line-height</li> <li>overflow</li> <li>pause</li> <li>pause-after</li> <li>pause-before</li> <li>pitch</li> <li>pitch-range</li> <li>richness</li> </ul> </td><td><ul class="simple"> <li>speak</li> <li>speak-header</li> <li>speak-numeral</li> <li>speak-punctuation</li> <li>speech-rate</li> <li>stress</li> <li>text-align</li> <li>text-decoration</li> <li>text-indent</li> <li>unicode-bidi</li> <li>vertical-align</li> <li>voice-family</li> <li>volume</li> <li>white-space</li> <li>width</li> </ul> </td></tr></table> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">Not all possible CSS values are allowed for these properties. The allowable values are restricted by a whitelist and a regular expression that allows color values and lengths. <abbr title="Uniform Resource Identifier">URI</abbr>s are not allowed, to prevent <a class="reference external" href="http://diveintomark.org/archives/2003/06/12/how_to_consume_rss_safely">platypus attacks</a>. See the _HTMLSanitizer class for more details.</p> </div> </div> <div class="section" id="whitelist-don-t-blacklist"> <h2>Whitelist, Don’t Blacklist<a class="headerlink" href="#whitelist-don-t-blacklist" title="Permalink to this headline">¶</a></h2> <p>I am often asked why <strong class="program">Universal Feed Parser</strong> is so hard-assed about <abbr title="HyperText Markup Language">HTML</abbr> and <abbr title="Cascading Style Sheets">CSS</abbr> sanitizing. To illustrate the problem, here is an incomplete list of potentially dangerous <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes:</p> <ul class="simple"> <li>script, which can contain malicious script</li> <li>applet, embed, and object, which can automatically download and execute malicious code</li> <li>meta, which can contain malicious redirects</li> <li>onload, onunload, and all other on* attributes, which can contain malicious script</li> <li>style, link, and the style attribute, which can contain malicious script</li> </ul> <p><em>style?</em> Yes, style. <abbr title="Cascading Style Sheets">CSS</abbr> definitions can contain executable code.</p> <div class="section" id="embedding-javascript-in-css"> <h3>Embedding Javascript in <abbr title="Cascading Style Sheets">CSS</abbr><a class="headerlink" href="#embedding-javascript-in-css" title="Permalink to this headline">¶</a></h3> <p>This sample is taken from <a class="reference external" href="http://feedparser.org/docs/examples/rss20.xml">http://feedparser.org/docs/examples/rss20.xml</a>:</p> <div class="highlight-html"><div class="highlight"><pre><span class="nt"><description></span>Watch out for <span class="ni">&lt;</span>span style="background: url(javascript:window.location='http://example.org/')"<span class="ni">&gt;</span> nasty tricks<span class="ni">&lt;</span>/span<span class="ni">&gt;</span><span class="nt"></description></span> </pre></div> </div> <p>This sample is more advanced, and does not contain the keyword javascript: that many naive <abbr title="HyperText Markup Language">HTML</abbr> sanitizers scan for:</p> <div class="highlight-html"><div class="highlight"><pre><span class="nt"><description></span>Watch out for <span class="ni">&lt;</span>span style="any: expression(window.location='http://example.org/')"<span class="ni">&gt;</span> nasty tricks<span class="ni">&lt;</span>/span<span class="ni">&gt;</span><span class="nt"></description></span> </pre></div> </div> <p>Internet Explorer for Windows will execute the Javascript in both of these examples.</p> <p>Now consider that in <abbr title="HyperText Markup Language">HTML</abbr>, attribute values may be entity-encoded in several different ways.</p> </div> <div class="section" id="embedding-encoded-javascript-in-css"> <h3>Embedding encoded Javascript in <abbr title="Cascading Style Sheets">CSS</abbr><a class="headerlink" href="#embedding-encoded-javascript-in-css" title="Permalink to this headline">¶</a></h3> <p>To a browser, this:</p> <div class="highlight-html"><div class="highlight"><pre><span class="nt"><span</span> <span class="na">style=</span><span class="s">"any: expression(window.location='http://example.org/')"</span><span class="nt">></span> </pre></div> </div> <p>is the same as this (without the line breaks):</p> <div class="highlight-html"><div class="highlight"><pre><span class="nt"><span</span> <span class="na">style=</span><span class="s">"&#97;&#110;&#121;&#58;&#32;&#101;&#120;&#112;&#114;&#101;</span> <span class="s">&#115;&#115;&#105;&#111;&#110;&#40;&#119;&#105;&#110;&#100;&#111;&#119;</span> <span class="s">&#46;&#108;&#111;&#99;&#97;&#116;&#105;&#111;&#110;&#61;&#39;&#104;</span> <span class="s">&#116;&#116;&#112;&#58;&#47;&#47;&#101;&#120;&#97;&#109;&#112;&#108;</span> <span class="s">&#101;&#46;&#111;&#114;&#103;&#47;&#39;&#41;"</span><span class="nt">></span> </pre></div> </div> <p>which is the same as this (without the line breaks):</p> <div class="highlight-html"><div class="highlight"><pre><span class="nt"><span</span> <span class="na">style=</span><span class="s">"&#x61;&#x6e;&#x79;&#x3a;&#x20;&#x65;&#x78;&#x70;&#x72;</span> <span class="s">&#x65;&#x73;&#x73;&#x69;&#x6f;&#x6e;&#x28;&#x77;&#x69;&#x6e;</span> <span class="s">&#x64;&#x6f;&#x77;&#x2e;&#x6c;&#x6f;&#x63;&#x61;&#x74;&#x69;</span> <span class="s">&#x6f;&#x6e;&#x3d;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;</span> <span class="s">&#x2f;&#x65;&#x78;&#x61;&#x6d;&#x70;&#x6c;&#x65;&#x2e;&#x6f;</span> <span class="s">&#x72;&#x67;&#x2f;&#x27;&#x29;"</span><span class="nt">></span> </pre></div> </div> <p>And so on, plus several other variations, plus every combination of every variation.</p> <p>The more I investigate, the more cases I find where Internet Explorer for Windows will treat seemingly innocuous markup as code and blithely execute it. This is why <strong class="program">Universal Feed Parser</strong> uses a whitelist and not a blacklist. I am reasonably confident that none of the elements or attributes on the whitelist are security risks. I am not at all confident about elements or attributes that I have not explicitly investigated. And I have no confidence at all in my ability to detect strings within attribute values that Internet Explorer for Windows will treat as executable code.</p> <div class="admonition-see-also admonition seealso"> <p class="first admonition-title">See also</p> <dl class="last docutils"> <dt><a class="reference external" href="http://diveintomark.org/archives/2003/06/12/how_to_consume_rss_safely">How to consume RSS safely</a></dt> <dd>Explains the platypus attack.</dd> </dl> </div> </div> </div> </div> </div> </div> </div> <div class="sphinxsidebar"> <div class="sphinxsidebarwrapper"> <h3><a href="index.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Sanitization</a><ul> <li><a class="reference internal" href="#html-sanitization"><abbr title="HyperText Markup Language">HTML</abbr> Sanitization</a></li> <li><a class="reference internal" href="#svg-sanitization"><abbr title="Scalable Vector Graphics">SVG</abbr> Sanitization</a></li> <li><a class="reference internal" href="#mathml-sanitization"><abbr title="Mathematical Markup Language">MathML</abbr> Sanitization</a></li> <li><a class="reference internal" href="#css-sanitization"><abbr title="Cascading Style Sheets">CSS</abbr> Sanitization</a></li> <li><a class="reference internal" href="#whitelist-don-t-blacklist">Whitelist, Don’t Blacklist</a><ul> <li><a class="reference internal" href="#embedding-javascript-in-css">Embedding Javascript in <abbr title="Cascading Style Sheets">CSS</abbr></a></li> <li><a class="reference internal" href="#embedding-encoded-javascript-in-css">Embedding encoded Javascript in <abbr title="Cascading Style Sheets">CSS</abbr></a></li> </ul> </li> </ul> </li> </ul> <h4>Previous topic</h4> <p class="topless"><a href="date-parsing.html" title="previous chapter">Date Parsing</a></p> <h4>Next topic</h4> <p class="topless"><a href="content-normalization.html" title="next chapter">Content Normalization</a></p> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="_sources/html-sanitization.txt" rel="nofollow">Show Source</a></li> </ul> <div id="searchbox" style="display: none"> <h3>Quick search</h3> <form class="search" action="search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> <p class="searchtip" style="font-size: 90%"> Enter search terms or a module, class or function name. </p> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <div class="clearer"></div> </div> <div class="related"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="genindex.html" title="General Index" >index</a></li> <li class="right" > <a href="content-normalization.html" title="Content Normalization" >next</a> |</li> <li class="right" > <a href="date-parsing.html" title="Date Parsing" >previous</a> |</li> <li><a href="index.html">feedparser 5.1.3 documentation</a> »</li> <li><a href="advanced.html" >Advanced Features</a> »</li> </ul> </div> <div class="footer"> © Copyright 2004-2008 Mark Pilgrim, 2010-2012 Kurt McKee. Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3. </div> </body> </html>