1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 2<!--NewPage--> 3<HTML> 4<HEAD> 5<META http-equiv="Content-Type" content="text/html; charset=UTF-8"> 6<TITLE> 7HtmlPolicyBuilder (OWASP Java HTML Sanitizer) 8</TITLE> 9 10 11<LINK REL ="stylesheet" TYPE="text/css" HREF="../../../stylesheet.css" TITLE="Style"> 12 13<SCRIPT type="text/javascript"> 14function windowTitle() 15{ 16 if (location.href.indexOf('is-external=true') == -1) { 17 parent.document.title="HtmlPolicyBuilder (OWASP Java HTML Sanitizer)"; 18 } 19} 20</SCRIPT> 21<NOSCRIPT> 22</NOSCRIPT> 23 24</HEAD> 25 26<BODY BGCOLOR="white" onload="windowTitle();"> 27<HR> 28 29 30<!-- ========= START OF TOP NAVBAR ======= --> 31<A NAME="navbar_top"><!-- --></A> 32<A HREF="#skip-navbar_top" title="Skip navigation links"></A> 33<TABLE BORDER="0" WIDTH="100%" CELLPADDING="1" CELLSPACING="0" SUMMARY=""> 34<TR> 35<TD COLSPAN=2 BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> 36<A NAME="navbar_top_firstrow"><!-- --></A> 37<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="3" SUMMARY=""> 38 <TR ALIGN="center" VALIGN="top"> 39 <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../overview-summary.html"><FONT CLASS="NavBarFont1"><B>Overview</B></FONT></A> </TD> 40 <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="package-summary.html"><FONT CLASS="NavBarFont1"><B>Package</B></FONT></A> </TD> 41 <TD BGCOLOR="#FFFFFF" CLASS="NavBarCell1Rev"> <FONT CLASS="NavBarFont1Rev"><B>Class</B></FONT> </TD> 42 <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="class-use/HtmlPolicyBuilder.html"><FONT CLASS="NavBarFont1"><B>Use</B></FONT></A> </TD> 43 <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="package-tree.html"><FONT CLASS="NavBarFont1"><B>Tree</B></FONT></A> </TD> 44 <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../deprecated-list.html"><FONT CLASS="NavBarFont1"><B>Deprecated</B></FONT></A> </TD> 45 <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../index-files/index-1.html"><FONT CLASS="NavBarFont1"><B>Index</B></FONT></A> </TD> 46 </TR> 47</TABLE> 48</TD> 49<TD ALIGN="right" VALIGN="top" ROWSPAN=3><EM> 50<a href="http://code.google.com/p/owasp-java-html-sanitizer" target=_top>code.google.com home</a></EM> 51</TD> 52</TR> 53 54<TR> 55<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> 56 <A HREF="../../../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html"><B>PREV CLASS</B></A> 57 <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html"><B>NEXT CLASS</B></A></FONT></TD> 58<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> 59 <A HREF="../../../index.html?org/owasp/html/HtmlPolicyBuilder.html" target="_top"><B>FRAMES</B></A> 60 <A HREF="HtmlPolicyBuilder.html" target="_top"><B>NO FRAMES</B></A> 61 <SCRIPT type="text/javascript"> 62 <!-- 63 if(window==top) { 64 document.writeln('<A HREF="../../../allclasses-noframe.html"><B>All Classes</B></A>'); 65 } 66 //--> 67</SCRIPT> 68<NOSCRIPT> 69 <A HREF="../../../allclasses-noframe.html"><B>All Classes</B></A> 70</NOSCRIPT> 71 72 73</FONT></TD> 74</TR> 75<TR> 76<TD VALIGN="top" CLASS="NavBarCell3"><FONT SIZE="-2"> 77 SUMMARY: <A HREF="#nested_class_summary">NESTED</A> | <A HREF="#field_summary">FIELD</A> | <A HREF="#constructor_summary">CONSTR</A> | <A HREF="#method_summary">METHOD</A></FONT></TD> 78<TD VALIGN="top" CLASS="NavBarCell3"><FONT SIZE="-2"> 79DETAIL: <A HREF="#field_detail">FIELD</A> | <A HREF="#constructor_detail">CONSTR</A> | <A HREF="#method_detail">METHOD</A></FONT></TD> 80</TR> 81</TABLE> 82<A NAME="skip-navbar_top"></A> 83<!-- ========= END OF TOP NAVBAR ========= --> 84 85<HR> 86<!-- ======== START OF CLASS DATA ======== --> 87<H2> 88<FONT SIZE="-1"> 89org.owasp.html</FONT> 90<BR> 91Class HtmlPolicyBuilder</H2> 92<PRE> 93java.lang.Object 94 <IMG SRC="../../../resources/inherit.gif" ALT="extended by "><B>org.owasp.html.HtmlPolicyBuilder</B> 95</PRE> 96<HR> 97<DL> 98<DT><PRE><FONT SIZE="-1">@NotThreadSafe 99</FONT>public class <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.155"><B>HtmlPolicyBuilder</B></A><DT>extends java.lang.Object</DL> 100</PRE> 101 102<P> 103Conveniences for configuring policies for the <A HREF="../../../org/owasp/html/HtmlSanitizer.html" title="class in org.owasp.html"><CODE>HtmlSanitizer</CODE></A>. 104 105 <h3>Usage</h3> 106 <p> 107 To create a policy, first construct an instance of this class; then call 108 <code>allow…</code> methods to turn on tags, attributes, and other 109 processing modes; and finally call <code>build(renderer)</code> or 110 <code>toFactory()</code>. 111 </p> 112 <pre class="prettyprint lang-java"> 113 // Define the policy. 114 Function<HtmlStreamEventReceiver, HtmlSanitizer.Policy> policy 115 = new HtmlPolicyBuilder() 116 .allowElements("a", "p") 117 .allowAttributes("href").onElements("a") 118 .toFactory(); 119 120 // Sanitize your output. 121 HtmlSanitizer.sanitize(myHtml, policy.apply(myHtmlStreamRenderer)); 122 </pre> 123 124 <h3>Embedded Content</h3> 125 <p> 126 Embedded URLs are filtered by 127 <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowUrlProtocols(java.lang.String...)"><CODE>protocol</CODE></A>. 128 There is a <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowStandardUrlProtocols()"><CODE>canned policy</CODE></A> 129 so you can easily white-list widely used policies that don't violate the 130 current pages origin. See "Customization" below for ways to do further 131 filtering. If you allow links it might be worthwhile to 132 <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#requireRelNofollowOnLinks()"><CODE>require</CODE></A> 133 <code>rel=nofollow</code>. 134 </p> 135 <p> 136 This class simply throws out all embedded JS. 137 Use a custom element or attribute policy to allow through 138 signed or otherwise known-safe code. 139 Check out the Caja project if you need a way to contain third-party JS. 140 </p> 141 <p> 142 This class does not attempt to faithfully parse and sanitize CSS. 143 It does provide <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowStyling()"><CODE>one</CODE></A> styling option 144 that allows through a few CSS properties that allow textual styling, but that 145 disallow image loading, history stealing, layout breaking, code execution, 146 etc. 147 </p> 148 149 <h3>Customization</h3> 150 <p> 151 You can easily do custom processing on tags and attributes by supplying your 152 own <A HREF="../../../org/owasp/html/ElementPolicy.html" title="interface in org.owasp.html"><CODE>element policy</CODE></A> or 153 <A HREF="../../../org/owasp/html/AttributePolicy.html" title="interface in org.owasp.html"><CODE>attribute policy</CODE></A> when calling 154 <code>allow…</code>. 155 E.g. to convert headers into <code><div></code>s, you could use an element policy 156 </p> 157 <pre class="prettyprint lang-java"> 158 new HtmlPolicyBuilder() 159 .allowElement( 160 new ElementPolicy() { 161 public String apply(String elementName, List<String> attributes) { 162 attributes.add("class"); 163 attributes.add("header-" + elementName); 164 return "div"; 165 } 166 }, 167 "h1", "h2", "h3", "h4", "h5", "h6") 168 .build(outputChannel) 169 </pre> 170 171 <h3>Rules of Thumb</h3> 172 <p> 173 Throughout this class, several rules hold: 174 <ul> 175 <li>Everything is denied by default. There are 176 <code>disallow…</code> methods, but those reverse 177 allows instead of rolling back overly permissive defaults. 178 <li>The order of allows and disallows does not matter. 179 Disallows trump allows whether they occur before or after them. 180 The only method that needs to be called in a particular place is 181 <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#build(org.owasp.html.HtmlStreamEventReceiver)"><CODE>build(org.owasp.html.HtmlStreamEventReceiver)</CODE></A>. 182 Allows or disallows after <code>build</code> is called have no 183 effect on the already built policy. 184 <li>Element and attribute policies are applied in the following order: 185 element specific attribute policy, global attribute policy, element 186 policy. 187 Element policies come last so they can observe all the post-processed 188 attributes, and so they can add attributes that are exempt from 189 attribute policies. 190 Element specific policies go first, so they can normalize content to 191 a form that might be acceptable to a more simplistic global policy. 192 </ul> 193 194 <h3>Thread safety and efficiency</h3> 195 <p> 196 This class is not thread-safe. The resulting policy will not violate its 197 security guarantees as a result of race conditions, but is not thread safe 198 because it maintains state to track whether text inside disallowed elements 199 should be suppressed. 200 <p> 201 The resulting policy can be reused, but if you use the 202 <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#toFactory()"><CODE>toFactory()</CODE></A> method instead of <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#build(org.owasp.html.HtmlStreamEventReceiver)"><CODE>build(org.owasp.html.HtmlStreamEventReceiver)</CODE></A>, then 203 binding policies to output channels is cheap so there's no need. 204 </p> 205<P> 206 207<P> 208<DL> 209<DT><B>Author:</B></DT> 210 <DD>Mike Samuel <mikesamuel@gmail.com></DD> 211</DL> 212<HR> 213 214<P> 215<!-- ======== NESTED CLASS SUMMARY ======== --> 216 217<A NAME="nested_class_summary"><!-- --></A> 218<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> 219<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> 220<TH ALIGN="left" COLSPAN="2"><FONT SIZE="+2"> 221<B>Nested Class Summary</B></FONT></TH> 222</TR> 223<TR BGCOLOR="white" CLASS="TableRowColor"> 224<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 225<CODE> class</CODE></FONT></TD> 226<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A></B></CODE> 227 228<BR> 229 Builds the relationship between attributes, the values that they may have, 230 and the elements on which they may appear.</TD> 231</TR> 232</TABLE> 233 <!-- =========== FIELD SUMMARY =========== --> 234 235<A NAME="field_summary"><!-- --></A> 236<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> 237<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> 238<TH ALIGN="left" COLSPAN="2"><FONT SIZE="+2"> 239<B>Field Summary</B></FONT></TH> 240</TR> 241<TR BGCOLOR="white" CLASS="TableRowColor"> 242<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 243<CODE>static com.google.common.collect.ImmutableSet<java.lang.String></CODE></FONT></TD> 244<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#DEFAULT_SKIP_IF_EMPTY">DEFAULT_SKIP_IF_EMPTY</A></B></CODE> 245 246<BR> 247 The default set of elements that are removed if they have no attributes.</TD> 248</TR> 249</TABLE> 250 251<!-- ======== CONSTRUCTOR SUMMARY ======== --> 252 253<A NAME="constructor_summary"><!-- --></A> 254<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> 255<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> 256<TH ALIGN="left" COLSPAN="2"><FONT SIZE="+2"> 257<B>Constructor Summary</B></FONT></TH> 258</TR> 259<TR BGCOLOR="white" CLASS="TableRowColor"> 260<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#HtmlPolicyBuilder()">HtmlPolicyBuilder</A></B>()</CODE> 261 262<BR> 263 </TD> 264</TR> 265</TABLE> 266 267<!-- ========== METHOD SUMMARY =========== --> 268 269<A NAME="method_summary"><!-- --></A> 270<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> 271<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> 272<TH ALIGN="left" COLSPAN="2"><FONT SIZE="+2"> 273<B>Method Summary</B></FONT></TH> 274</TR> 275<TR BGCOLOR="white" CLASS="TableRowColor"> 276<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 277<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A></CODE></FONT></TD> 278<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowAttributes(java.lang.String...)">allowAttributes</A></B>(java.lang.String... attributeNames)</CODE> 279 280<BR> 281 Returns an object that lets you associate policies with the given 282 attributes, and allow them globally or on specific elements.</TD> 283</TR> 284<TR BGCOLOR="white" CLASS="TableRowColor"> 285<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 286<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 287<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowCommonBlockElements()">allowCommonBlockElements</A></B>()</CODE> 288 289<BR> 290 A canned policy that allows a number of common block elements.</TD> 291</TR> 292<TR BGCOLOR="white" CLASS="TableRowColor"> 293<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 294<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 295<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowCommonInlineFormattingElements()">allowCommonInlineFormattingElements</A></B>()</CODE> 296 297<BR> 298 A canned policy that allows a number of common formatting elements.</TD> 299</TR> 300<TR BGCOLOR="white" CLASS="TableRowColor"> 301<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 302<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 303<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowElements(org.owasp.html.ElementPolicy, java.lang.String...)">allowElements</A></B>(<A HREF="../../../org/owasp/html/ElementPolicy.html" title="interface in org.owasp.html">ElementPolicy</A> policy, 304 java.lang.String... elementNames)</CODE> 305 306<BR> 307 Allow the given elements with the given policy.</TD> 308</TR> 309<TR BGCOLOR="white" CLASS="TableRowColor"> 310<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 311<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 312<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowElements(java.lang.String...)">allowElements</A></B>(java.lang.String... elementNames)</CODE> 313 314<BR> 315 Allows the named elements.</TD> 316</TR> 317<TR BGCOLOR="white" CLASS="TableRowColor"> 318<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 319<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 320<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowStandardUrlProtocols()">allowStandardUrlProtocols</A></B>()</CODE> 321 322<BR> 323 A canned URL protocol policy that allows <code>http</code>, 324 <code>https</code>, and <code>mailto</code>.</TD> 325</TR> 326<TR BGCOLOR="white" CLASS="TableRowColor"> 327<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 328<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 329<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowStyling()">allowStyling</A></B>()</CODE> 330 331<BR> 332 Convert <code>style="<CSS>"</code> to sanitized CSS which allows 333 color, font-size, type-face, and other styling using the default schema; 334 but which does not allow content to escape its clipping context.</TD> 335</TR> 336<TR BGCOLOR="white" CLASS="TableRowColor"> 337<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 338<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 339<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowStyling(org.owasp.html.CssSchema)">allowStyling</A></B>(<A HREF="../../../org/owasp/html/CssSchema.html" title="class in org.owasp.html">CssSchema</A> whitelist)</CODE> 340 341<BR> 342 Convert <code>style="<CSS>"</code> to sanitized CSS which allows 343 color, font-size, type-face, and other styling using the given schema.</TD> 344</TR> 345<TR BGCOLOR="white" CLASS="TableRowColor"> 346<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 347<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 348<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowTextIn(java.lang.String...)">allowTextIn</A></B>(java.lang.String... elementNames)</CODE> 349 350<BR> 351 Allows text content in the named elements.</TD> 352</TR> 353<TR BGCOLOR="white" CLASS="TableRowColor"> 354<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 355<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 356<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowUrlProtocols(java.lang.String...)">allowUrlProtocols</A></B>(java.lang.String... protocols)</CODE> 357 358<BR> 359 Adds to the set of protocols that are allowed in URL attributes.</TD> 360</TR> 361<TR BGCOLOR="white" CLASS="TableRowColor"> 362<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 363<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 364<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowWithoutAttributes(java.lang.String...)">allowWithoutAttributes</A></B>(java.lang.String... elementNames)</CODE> 365 366<BR> 367 Assuming the given elements are allowed, allows them to appear without 368 attributes.</TD> 369</TR> 370<TR BGCOLOR="white" CLASS="TableRowColor"> 371<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 372<CODE> <A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A></CODE></FONT></TD> 373<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#build(org.owasp.html.HtmlStreamEventReceiver)">build</A></B>(<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out)</CODE> 374 375<BR> 376 Produces a policy based on the allow and disallow calls previously made.</TD> 377</TR> 378<TR BGCOLOR="white" CLASS="TableRowColor"> 379<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 380<CODE> 381<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" SUMMARY=""> 382<TR ALIGN="right" VALIGN=""> 383<TD NOWRAP><FONT SIZE="-1"> 384<CODE><CTX> <A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A></CODE></FONT></TD> 385</TR> 386</TABLE> 387</CODE></FONT></TD> 388<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#build(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, CTX)">build</A></B>(<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out, 389 <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><? super CTX> listener, 390 CTX context)</CODE> 391 392<BR> 393 Produces a policy based on the allow and disallow calls previously made.</TD> 394</TR> 395<TR BGCOLOR="white" CLASS="TableRowColor"> 396<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 397<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A></CODE></FONT></TD> 398<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#disallowAttributes(java.lang.String...)">disallowAttributes</A></B>(java.lang.String... attributeNames)</CODE> 399 400<BR> 401 Reverse an earlier attribute <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowAttributes(java.lang.String...)"><CODE>allow</CODE></A>.</TD> 402</TR> 403<TR BGCOLOR="white" CLASS="TableRowColor"> 404<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 405<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 406<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#disallowElements(java.lang.String...)">disallowElements</A></B>(java.lang.String... elementNames)</CODE> 407 408<BR> 409 Disallows the named elements.</TD> 410</TR> 411<TR BGCOLOR="white" CLASS="TableRowColor"> 412<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 413<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 414<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#disallowTextIn(java.lang.String...)">disallowTextIn</A></B>(java.lang.String... elementNames)</CODE> 415 416<BR> 417 </TD> 418</TR> 419<TR BGCOLOR="white" CLASS="TableRowColor"> 420<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 421<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 422<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#disallowUrlProtocols(java.lang.String...)">disallowUrlProtocols</A></B>(java.lang.String... protocols)</CODE> 423 424<BR> 425 Reverses a decision made by <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowUrlProtocols(java.lang.String...)"><CODE>allowUrlProtocols(java.lang.String...)</CODE></A>.</TD> 426</TR> 427<TR BGCOLOR="white" CLASS="TableRowColor"> 428<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 429<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 430<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#disallowWithoutAttributes(java.lang.String...)">disallowWithoutAttributes</A></B>(java.lang.String... elementNames)</CODE> 431 432<BR> 433 Disallows the given elements from appearing without attributes.</TD> 434</TR> 435<TR BGCOLOR="white" CLASS="TableRowColor"> 436<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 437<CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></CODE></FONT></TD> 438<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#requireRelNofollowOnLinks()">requireRelNofollowOnLinks</A></B>()</CODE> 439 440<BR> 441 Adds <a href="http://en.wikipedia.org/wiki/Nofollow"><code>rel=nofollow</code></a> 442 to links.</TD> 443</TR> 444<TR BGCOLOR="white" CLASS="TableRowColor"> 445<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> 446<CODE> <A HREF="../../../org/owasp/html/PolicyFactory.html" title="class in org.owasp.html">PolicyFactory</A></CODE></FONT></TD> 447<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#toFactory()">toFactory</A></B>()</CODE> 448 449<BR> 450 Like <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#build(org.owasp.html.HtmlStreamEventReceiver)"><CODE>build(org.owasp.html.HtmlStreamEventReceiver)</CODE></A> but can be reused to create many different policies 451 each backed by a different output channel.</TD> 452</TR> 453</TABLE> 454 <A NAME="methods_inherited_from_class_java.lang.Object"><!-- --></A> 455<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> 456<TR BGCOLOR="#EEEEFF" CLASS="TableSubHeadingColor"> 457<TH ALIGN="left"><B>Methods inherited from class java.lang.Object</B></TH> 458</TR> 459<TR BGCOLOR="white" CLASS="TableRowColor"> 460<TD><CODE>clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait</CODE></TD> 461</TR> 462</TABLE> 463 464<P> 465 466<!-- ============ FIELD DETAIL =========== --> 467 468<A NAME="field_detail"><!-- --></A> 469<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> 470<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> 471<TH ALIGN="left" COLSPAN="1"><FONT SIZE="+2"> 472<B>Field Detail</B></FONT></TH> 473</TR> 474</TABLE> 475 476<A NAME="DEFAULT_SKIP_IF_EMPTY"><!-- --></A><H3> 477DEFAULT_SKIP_IF_EMPTY</H3> 478<PRE> 479public static final com.google.common.collect.ImmutableSet<java.lang.String> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.163"><B>DEFAULT_SKIP_IF_EMPTY</B></A></PRE> 480<DL> 481<DD>The default set of elements that are removed if they have no attributes. 482 Since <code><img></code> is in this set, by default, a policy will remove 483 <code><img src=javascript:alert(1337)></code> because its URL is not allowed 484 and it has no other attributes that would warrant it appearing in the 485 output. 486<P> 487<DL> 488</DL> 489</DL> 490 491<!-- ========= CONSTRUCTOR DETAIL ======== --> 492 493<A NAME="constructor_detail"><!-- --></A> 494<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> 495<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> 496<TH ALIGN="left" COLSPAN="1"><FONT SIZE="+2"> 497<B>Constructor Detail</B></FONT></TH> 498</TR> 499</TABLE> 500 501<A NAME="HtmlPolicyBuilder()"><!-- --></A><H3> 502HtmlPolicyBuilder</H3> 503<PRE> 504public <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.155"><B>HtmlPolicyBuilder</B></A>()</PRE> 505<DL> 506</DL> 507 508<!-- ============ METHOD DETAIL ========== --> 509 510<A NAME="method_detail"><!-- --></A> 511<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> 512<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> 513<TH ALIGN="left" COLSPAN="1"><FONT SIZE="+2"> 514<B>Method Detail</B></FONT></TH> 515</TR> 516</TABLE> 517 518<A NAME="allowElements(java.lang.String...)"><!-- --></A><H3> 519allowElements</H3> 520<PRE> 521public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.180"><B>allowElements</B></A>(java.lang.String... elementNames)</PRE> 522<DL> 523<DD>Allows the named elements. 524<P> 525<DD><DL> 526</DL> 527</DD> 528</DL> 529<HR> 530 531<A NAME="disallowElements(java.lang.String...)"><!-- --></A><H3> 532disallowElements</H3> 533<PRE> 534public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.189"><B>disallowElements</B></A>(java.lang.String... elementNames)</PRE> 535<DL> 536<DD>Disallows the named elements. Elements are disallowed by default, so 537 there is no need to disallow elements, unless you are making an exception 538 based on an earlier allow. 539<P> 540<DD><DL> 541</DL> 542</DD> 543</DL> 544<HR> 545 546<A NAME="allowElements(org.owasp.html.ElementPolicy, java.lang.String...)"><!-- --></A><H3> 547allowElements</H3> 548<PRE> 549public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.199"><B>allowElements</B></A>(<A HREF="../../../org/owasp/html/ElementPolicy.html" title="interface in org.owasp.html">ElementPolicy</A> policy, 550 java.lang.String... elementNames)</PRE> 551<DL> 552<DD>Allow the given elements with the given policy. 553<P> 554<DD><DL> 555<DT><B>Parameters:</B><DD><CODE>policy</CODE> - May remove or add attributes, change the element name, or 556 deny the element.</DL> 557</DD> 558</DL> 559<HR> 560 561<A NAME="allowCommonInlineFormattingElements()"><!-- --></A><H3> 562allowCommonInlineFormattingElements</H3> 563<PRE> 564public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.222"><B>allowCommonInlineFormattingElements</B></A>()</PRE> 565<DL> 566<DD>A canned policy that allows a number of common formatting elements. 567<P> 568<DD><DL> 569</DL> 570</DD> 571</DL> 572<HR> 573 574<A NAME="allowCommonBlockElements()"><!-- --></A><H3> 575allowCommonBlockElements</H3> 576<PRE> 577public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.231"><B>allowCommonBlockElements</B></A>()</PRE> 578<DL> 579<DD>A canned policy that allows a number of common block elements. 580<P> 581<DD><DL> 582</DL> 583</DD> 584</DL> 585<HR> 586 587<A NAME="allowTextIn(java.lang.String...)"><!-- --></A><H3> 588allowTextIn</H3> 589<PRE> 590public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.248"><B>allowTextIn</B></A>(java.lang.String... elementNames)</PRE> 591<DL> 592<DD>Allows text content in the named elements. 593 By default, text content is allowed in any 594 <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowElements(java.lang.String...)"><CODE>allowed elements</CODE></A> that can contain character data per 595 the HTML5 spec, but text content is not allowed by default in elements that 596 contain content of other kinds (like JavaScript in <code><script></code> 597 elements. 598 <p> 599 To write a policy that whitelists <code><script></code> or <code><style></code> 600 elements, first <code>allowTextIn("script")</code>. 601<P> 602<DD><DL> 603</DL> 604</DD> 605</DL> 606<HR> 607 608<A NAME="disallowTextIn(java.lang.String...)"><!-- --></A><H3> 609disallowTextIn</H3> 610<PRE> 611public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.257"><B>disallowTextIn</B></A>(java.lang.String... elementNames)</PRE> 612<DL> 613<DD><DL> 614</DL> 615</DD> 616</DL> 617<HR> 618 619<A NAME="allowWithoutAttributes(java.lang.String...)"><!-- --></A><H3> 620allowWithoutAttributes</H3> 621<PRE> 622public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.273"><B>allowWithoutAttributes</B></A>(java.lang.String... elementNames)</PRE> 623<DL> 624<DD>Assuming the given elements are allowed, allows them to appear without 625 attributes. 626<P> 627<DD><DL> 628<DT><B>See Also:</B><DD><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#DEFAULT_SKIP_IF_EMPTY"><CODE>DEFAULT_SKIP_IF_EMPTY</CODE></A>, 629<A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#disallowWithoutAttributes(java.lang.String...)"><CODE>disallowWithoutAttributes(java.lang.String...)</CODE></A></DL> 630</DD> 631</DL> 632<HR> 633 634<A NAME="disallowWithoutAttributes(java.lang.String...)"><!-- --></A><H3> 635disallowWithoutAttributes</H3> 636<PRE> 637public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.288"><B>disallowWithoutAttributes</B></A>(java.lang.String... elementNames)</PRE> 638<DL> 639<DD>Disallows the given elements from appearing without attributes. 640<P> 641<DD><DL> 642<DT><B>See Also:</B><DD><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#DEFAULT_SKIP_IF_EMPTY"><CODE>DEFAULT_SKIP_IF_EMPTY</CODE></A>, 643<A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowWithoutAttributes(java.lang.String...)"><CODE>allowWithoutAttributes(java.lang.String...)</CODE></A></DL> 644</DD> 645</DL> 646<HR> 647 648<A NAME="allowAttributes(java.lang.String...)"><!-- --></A><H3> 649allowAttributes</H3> 650<PRE> 651public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.301"><B>allowAttributes</B></A>(java.lang.String... attributeNames)</PRE> 652<DL> 653<DD>Returns an object that lets you associate policies with the given 654 attributes, and allow them globally or on specific elements. 655<P> 656<DD><DL> 657</DL> 658</DD> 659</DL> 660<HR> 661 662<A NAME="disallowAttributes(java.lang.String...)"><!-- --></A><H3> 663disallowAttributes</H3> 664<PRE> 665public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.318"><B>disallowAttributes</B></A>(java.lang.String... attributeNames)</PRE> 666<DL> 667<DD>Reverse an earlier attribute <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowAttributes(java.lang.String...)"><CODE>allow</CODE></A>. 668 <p> 669 For this to have an effect you must call at least one of 670 <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#globally()"><CODE>HtmlPolicyBuilder.AttributeBuilder.globally()</CODE></A> and <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#onElements(java.lang.String...)"><CODE>HtmlPolicyBuilder.AttributeBuilder.onElements(java.lang.String...)</CODE></A>. 671 <p> 672 Attributes are disallowed by default, so there is no need to call this 673 with a laundry list of attribute/element pairs. 674<P> 675<DD><DL> 676</DL> 677</DD> 678</DL> 679<HR> 680 681<A NAME="requireRelNofollowOnLinks()"><!-- --></A><H3> 682requireRelNofollowOnLinks</H3> 683<PRE> 684public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.364"><B>requireRelNofollowOnLinks</B></A>()</PRE> 685<DL> 686<DD>Adds <a href="http://en.wikipedia.org/wiki/Nofollow"><code>rel=nofollow</code></a> 687 to links. 688<P> 689<DD><DL> 690</DL> 691</DD> 692</DL> 693<HR> 694 695<A NAME="allowUrlProtocols(java.lang.String...)"><!-- --></A><H3> 696allowUrlProtocols</H3> 697<PRE> 698public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.383"><B>allowUrlProtocols</B></A>(java.lang.String... protocols)</PRE> 699<DL> 700<DD>Adds to the set of protocols that are allowed in URL attributes. 701 For each URL attribute that is allowed, we further constrain it by 702 only allowing the value through if it specifies no protocol, or if it 703 specifies one in the allowedProtocols white-list. 704 This is done regardless of whether any protocols have been allowed, so 705 allowing the attribute "href" globally with the identity policy but 706 not white-listing any protocols, effectively disallows the "href" 707 attribute globally. 708 <p> 709 Do not allow any <code>*script</code> such as <code>javascript</code> 710 protocols if you might use this policy with untrusted code. 711<P> 712<DD><DL> 713</DL> 714</DD> 715</DL> 716<HR> 717 718<A NAME="disallowUrlProtocols(java.lang.String...)"><!-- --></A><H3> 719disallowUrlProtocols</H3> 720<PRE> 721public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.400"><B>disallowUrlProtocols</B></A>(java.lang.String... protocols)</PRE> 722<DL> 723<DD>Reverses a decision made by <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#allowUrlProtocols(java.lang.String...)"><CODE>allowUrlProtocols(java.lang.String...)</CODE></A>. 724<P> 725<DD><DL> 726</DL> 727</DD> 728</DL> 729<HR> 730 731<A NAME="allowStandardUrlProtocols()"><!-- --></A><H3> 732allowStandardUrlProtocols</H3> 733<PRE> 734public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.413"><B>allowStandardUrlProtocols</B></A>()</PRE> 735<DL> 736<DD>A canned URL protocol policy that allows <code>http</code>, 737 <code>https</code>, and <code>mailto</code>. 738<P> 739<DD><DL> 740</DL> 741</DD> 742</DL> 743<HR> 744 745<A NAME="allowStyling()"><!-- --></A><H3> 746allowStyling</H3> 747<PRE> 748public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.422"><B>allowStyling</B></A>()</PRE> 749<DL> 750<DD>Convert <code>style="<CSS>"</code> to sanitized CSS which allows 751 color, font-size, type-face, and other styling using the default schema; 752 but which does not allow content to escape its clipping context. 753<P> 754<DD><DL> 755</DL> 756</DD> 757</DL> 758<HR> 759 760<A NAME="allowStyling(org.owasp.html.CssSchema)"><!-- --></A><H3> 761allowStyling</H3> 762<PRE> 763public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.431"><B>allowStyling</B></A>(<A HREF="../../../org/owasp/html/CssSchema.html" title="class in org.owasp.html">CssSchema</A> whitelist)</PRE> 764<DL> 765<DD>Convert <code>style="<CSS>"</code> to sanitized CSS which allows 766 color, font-size, type-face, and other styling using the given schema. 767<P> 768<DD><DL> 769</DL> 770</DD> 771</DL> 772<HR> 773 774<A NAME="build(org.owasp.html.HtmlStreamEventReceiver)"><!-- --></A><H3> 775build</H3> 776<PRE> 777public <A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.455"><B>build</B></A>(<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out)</PRE> 778<DL> 779<DD>Produces a policy based on the allow and disallow calls previously made. 780<P> 781<DD><DL> 782<DT><B>Parameters:</B><DD><CODE>out</CODE> - receives calls to open only tags allowed by 783 previous calls to this object. 784 Typically a <A HREF="../../../org/owasp/html/HtmlStreamRenderer.html" title="class in org.owasp.html"><CODE>HtmlStreamRenderer</CODE></A>.</DL> 785</DD> 786</DL> 787<HR> 788 789<A NAME="build(org.owasp.html.HtmlStreamEventReceiver,org.owasp.html.HtmlChangeListener,java.lang.Object)"><!-- --></A><A NAME="build(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, CTX)"><!-- --></A><H3> 790build</H3> 791<PRE> 792public <CTX> <A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.472"><B>build</B></A>(<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out, 793 <FONT SIZE="-1">@Nullable</FONT> 794 <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><? super CTX> listener, 795 <FONT SIZE="-1">@Nullable</FONT> 796 CTX context)</PRE> 797<DL> 798<DD>Produces a policy based on the allow and disallow calls previously made. 799<P> 800<DD><DL> 801<DT><B>Parameters:</B><DD><CODE>out</CODE> - receives calls to open only tags allowed by 802 previous calls to this object. 803 Typically a <A HREF="../../../org/owasp/html/HtmlStreamRenderer.html" title="class in org.owasp.html"><CODE>HtmlStreamRenderer</CODE></A>.<DD><CODE>listener</CODE> - is notified of dropped tags and attributes so that 804 intrusion detection systems can be alerted to questionable HTML. 805 If <code>null</code> then no notifications are sent.<DD><CODE>context</CODE> - if <code>(listener != null)</code> then the context value passed 806 with alerts. This can be used to let the listener know from which 807 connection or request the questionable HTML was received.</DL> 808</DD> 809</DL> 810<HR> 811 812<A NAME="toFactory()"><!-- --></A><H3> 813toFactory</H3> 814<PRE> 815public <A HREF="../../../org/owasp/html/PolicyFactory.html" title="class in org.owasp.html">PolicyFactory</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.483"><B>toFactory</B></A>()</PRE> 816<DL> 817<DD>Like <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#build(org.owasp.html.HtmlStreamEventReceiver)"><CODE>build(org.owasp.html.HtmlStreamEventReceiver)</CODE></A> but can be reused to create many different policies 818 each backed by a different output channel. 819<P> 820<DD><DL> 821</DL> 822</DD> 823</DL> 824<!-- ========= END OF CLASS DATA ========= --> 825<HR> 826 827 828<!-- ======= START OF BOTTOM NAVBAR ====== --> 829<A NAME="navbar_bottom"><!-- --></A> 830<A HREF="#skip-navbar_bottom" title="Skip navigation links"></A> 831<TABLE BORDER="0" WIDTH="100%" CELLPADDING="1" CELLSPACING="0" SUMMARY=""> 832<TR> 833<TD COLSPAN=2 BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> 834<A NAME="navbar_bottom_firstrow"><!-- --></A> 835<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="3" SUMMARY=""> 836 <TR ALIGN="center" VALIGN="top"> 837 <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../overview-summary.html"><FONT CLASS="NavBarFont1"><B>Overview</B></FONT></A> </TD> 838 <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="package-summary.html"><FONT CLASS="NavBarFont1"><B>Package</B></FONT></A> </TD> 839 <TD BGCOLOR="#FFFFFF" CLASS="NavBarCell1Rev"> <FONT CLASS="NavBarFont1Rev"><B>Class</B></FONT> </TD> 840 <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="class-use/HtmlPolicyBuilder.html"><FONT CLASS="NavBarFont1"><B>Use</B></FONT></A> </TD> 841 <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="package-tree.html"><FONT CLASS="NavBarFont1"><B>Tree</B></FONT></A> </TD> 842 <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../deprecated-list.html"><FONT CLASS="NavBarFont1"><B>Deprecated</B></FONT></A> </TD> 843 <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../index-files/index-1.html"><FONT CLASS="NavBarFont1"><B>Index</B></FONT></A> </TD> 844 </TR> 845</TABLE> 846</TD> 847<TD ALIGN="right" VALIGN="top" ROWSPAN=3><EM> 848<a href="http://code.google.com/p/owasp-java-html-sanitizer" target=_top>code.google.com home</a></EM> 849</TD> 850</TR> 851 852<TR> 853<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> 854 <A HREF="../../../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html"><B>PREV CLASS</B></A> 855 <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html"><B>NEXT CLASS</B></A></FONT></TD> 856<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> 857 <A HREF="../../../index.html?org/owasp/html/HtmlPolicyBuilder.html" target="_top"><B>FRAMES</B></A> 858 <A HREF="HtmlPolicyBuilder.html" target="_top"><B>NO FRAMES</B></A> 859 <SCRIPT type="text/javascript"> 860 <!-- 861 if(window==top) { 862 document.writeln('<A HREF="../../../allclasses-noframe.html"><B>All Classes</B></A>'); 863 } 864 //--> 865</SCRIPT> 866<NOSCRIPT> 867 <A HREF="../../../allclasses-noframe.html"><B>All Classes</B></A> 868</NOSCRIPT> 869 870 871</FONT></TD> 872</TR> 873<TR> 874<TD VALIGN="top" CLASS="NavBarCell3"><FONT SIZE="-2"> 875 SUMMARY: <A HREF="#nested_class_summary">NESTED</A> | <A HREF="#field_summary">FIELD</A> | <A HREF="#constructor_summary">CONSTR</A> | <A HREF="#method_summary">METHOD</A></FONT></TD> 876<TD VALIGN="top" CLASS="NavBarCell3"><FONT SIZE="-2"> 877DETAIL: <A HREF="#field_detail">FIELD</A> | <A HREF="#constructor_detail">CONSTR</A> | <A HREF="#method_detail">METHOD</A></FONT></TD> 878</TR> 879</TABLE> 880<A NAME="skip-navbar_bottom"></A> 881<!-- ======== END OF BOTTOM NAVBAR ======= --> 882 883<HR> 884 885</BODY> 886</HTML> 887
