sanitizeHtml

Sanitizes unsafe HTML to protect against XSS attacks

sanitizeHtml(string [, policy ]) → returns string

Member Function Syntax

string.sanitizeHTML( policy )

This function requires Lucee 5 and up.  Not supported on Adobe ColdFusion, etc.
  1. CFDocs
  2. Functions
  3. Lucee 5 New Functions and Tags
  4. sanitizeHtml
  5. Lucee5+
  6. 0 Issue
  7. Edit
See Also:   getSafeHtml

Argument Reference

string string
Required

The string to sanitize

policy string

Either a org.owasp.html.PolicyFactory or a list of built in policies which allow and sanitize the named element types (see list below). If omitted then all of the built-in policies are applied.
Values:
  • BLOCKS
  • FORMATTING
  • IMAGES
  • LINKS
  • STYLES
  • TABLES

Compatibility

Lucee:

Version 5+ requires ESAPI extension version >= 2.2.4.5-SNAPSHOT

Links more information about sanitizeHtml

Examples
Sample code invoking the sanitizeHtml function

Sanitize a string using built-in policies

unsafe = '<p>a <strong>link</strong> <a href="https://www.example.com" onClick="doSomethingBad()">test</a></p>';
result = sanitizeHtml( unsafe );
dump(result);

Only allow sanitized link and block elements

unsafe = '<p>a <strong>link</strong> <a href="https://www.example.com" onClick="doSomethingBad()">test</a></p>';
result = sanitizeHtml( unsafe,"LINKS,BLOCKS" );
dump(result);

Only allow sanitized link and block elements

unsafe = '<p>a <strong>link</strong> <a href="https://www.example.com" onClick="doSomethingBad()">test</a></p>';
result = unsafe.sanitizeHtml( "LINKS,BLOCKS" );
dump(result);

Signup for cfbreak to stay updated on the latest news from the ColdFusion / CFML community. One email, every friday.

Fork me on GitHub