From: http://www.brettle.com/neathtml
| About NeatHtml™ | |
|---|---|
| |
|
NeatHtml™ is a highly-portable open source website component that displays untrusted content securely, efficiently, and accessibly. Untrusted content is any content that is not trusted by the website owner. Typical examples include blog comments, forum posts, or user pages on social networking sites. NeatHtml uses an “accept only known good” (whitelist) approach to security to help prevent attacks which are not yet known. It focuses on preventing Cross-Site Scripting (XSS) attacks but can also prevent phishing attacks and remove automated Cross-Site Request Forgery (CSRF) attacks. In this context, phishing attacks are attacks which try to display untrusted content where the user would trust it, and automated CSRF attacks are CSRF attacks that do not require any user action beyond viewing the untrusted content.NeatHtml consists of the NeatHtml.js JavaScript library and a small server-side component. NeatHtml.js should work with any browser that supports both JavaScript 1.3 and a few DOM APIs. It has been tested against Internet Explorer 6 and 7, Firefox 1.5 and 2.0, Opera 9.21, Netscape 7.2, Mac Safari 1.2, 1.3 and 2.0, and Konqueror 3.4.0-5 and 3.5.7. The server-side component is approximately 400 lines of ASP.NET code. It runs under Mono, .NET 1.1, and .NET 2.0, but should be easy to port to other web development platforms (e.g. Java or PHP). To facilitate porting and testing, NeatHtml includes a JavaScript test framework and a demo page which uses the test framework and demonstrates the capabilities of NeatHtml. NeatHtml is licensed under the Lesser General Public License (LGPL), a business-friendly open source license.
NeatHtml is currently available for download as a mature development snapshot. It primarily needs independent testing, and minor security fixes before an official release. Bug reports, feature requests, questions, comments, and other contributions are welcome.
Features
- Uses a whitelist approach to help prevent attacks that take advantage of currently unknown security holes.
- XSS prevention is done using client-side script to reduce the load on the server.
- Allows many common HTML constructs, including most inline styles.
- Integrates easily with existing applications.
- Works under Mono, .NET 1.1, and .NET 2.0, and can be easily ported to other development platforms.
- Licensed under the Lesser General Public License (LGPL), a business-friendly open source license. See below for details.
Demo
Check out the live demo!
Download
NeatHtml-trunk.215.zip is the most recent development snapshot. It includes both source and precompiled binaries.The latest code is always available from the Subversion repository. You can browse it with your web browser or use a subversion client with a command like this:
svn checkout https://forgesvn1.novell.com/svn/neathtml/trunk
Documentation
Please read the NeatHtml Manual for step-by-step installation and usage instructions.A whitepaper is available those interested in the techniques used by NeatHtml.