Sanitize HTML With Ammonia In Rust
Overview
I'm using the ammonia rust crate to sanitize HTML for my twitch bot. I'm using it like this:
use ammonia::Builder;
use maplit::{hashmap, hashset};
fn main() {
let source = r#"
<div>
<span id="alfa" class="bravo">charlie</span>
</div>
"#;
let scrubbed = sanatize_html(source);
dbg!(scrubbed);
}
fn sanatize_html(source: &str) -> String {
let tags = hashset!["span"];
let tag_attrs = hashmap![
"span" => hashset!["id"]
];
Builder::new()
.tags(tags)
.tag_attributes(tag_attrs)
.clean(source)
.to_string()
}
Details
-
Only tags and attributes for the tags are are explicitly added will be allowed through
-
Permitted tags are added to the [TODO: Code shorthand span ] hashset and added to the [TODO: Code shorthand span ] via [TODO: Code shorthand span ]
-
Attributes for defined for each tag [TODO: Code shorthand span ] and added via [TODO: Code shorthand span ]
-
The output is returned as a string. In this example about the result is:
<span id="alfa">charlie</span>
Installation
Installing the crate is done with:
cargo add ammonia
cargo add maplit
The matlit crate provides the macros used in the example to make the hashsets and hashmap. It's not required. Using the std hash features works as well.
References
-
"Designed to prevent cross-site scripting, layout breaking, and clickjacking caused by untrusted user-provided HTML being mixed into a larger web page"
-
This is what ammonia uses under the hood for parsing
-
The made struct for setting up a sanitize run