Sanitize HTML With Ammonia In Rust
Overview
I'm using the ammonia rust crate to sanitize HTML for my twitch bot. I'm using it like this:
Code
use ammonia::Builder;
use maplit::{hashmap, hashset};
fn main() {
let source = r#"
<div>
<span id="alfa" class="bravo">charlie</span>
</div>
"#;
let scrubbed = sanatize_html(source);
dbg!(scrubbed);
}
fn sanatize_html(source: &str) -> String {
let tags = hashset!["span"];
let tag_attrs = hashmap![
"span" => hashset!["id"]
];
Builder::new()
.tags(tags)
.tag_attributes(tag_attrs)
.clean(source)
.to_string()
}
Details
Only tags and attributes for the tags are are explicitly added will be allowed through
Permitted tags are added to the `tags`` hashset and added to the `Builder`` via `.tags()``
Attributes for defined for each tag `tag_attrs`` and added via `.tag_attributes()``
The output is returned as a string. In this example about the result is:
<span id="alfa">charlie</span>
Installation
Installing the crate is done with:
Code
cargo add ammonia
cargo add maplit
The _matlit__ crate provides the macros used in the example to make the hashsets and hashmap. It's not required. Using the std hash features works as well.
References
-
- an allow-list based HTML sanitization library
"Designed to prevent cross-site scripting, layout breaking, and clickjacking caused by untrusted user-provided HTML being mixed into a larger web page"
-
This is what ammonia uses under the hood for parsing
-
The made struct for setting up a sanitize run