Is there a way to find out if input is being sanitized or not

[Kavitha Venkataswamy]

Hi,

I am looking to use HTML sanitizer, is there a way to determine if input is sanitized or not. I have a use case, if sanitized, take some action.

If this feature is not available, can you throw some light if there is a way to achieve this?

Thanks

Kavitha

[Mike Samuel]

On Feb 21, 2017 5:13 PM, "Kavitha Venkataswamy" <kvenkat...@gmail.com> wrote:

Hi,

I am looking to use HTML sanitizer, is there a way to determine if input is sanitized or not. I have a use case, if sanitized, take some action.

http://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20160924.1/org/owasp/html/PolicyFactory.html#sanitize-java.lang.String-org.owasp.html.HtmlChangeListener-CTX- shows how you can pass a change listener to get notified when a policy rejects an element or attribute.

Be aware though that just because no changes were reported that the input is not necessarily safe to embed -- only ever embed the output from the sanitizer.

https://github.com/OWASP/java-html-sanitizer/blob/master/docs/html-validation.md addresses some common misconceptions about the relationship between "0 policy violations" and "is safe."

If this feature is not available, can you throw some light if there is a way to achieve this?

Thanks

Kavitha

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.