HTML sanitization for rich text content in entities.
This module provides basic HTML sanitization to prevent XSS attacks while allowing safe HTML tags commonly used in rich text editors.
Allowed Tags
The following tags are allowed:
- Block elements: p, div, br, hr, h1-h6, blockquote, pre, code
- Inline elements: span, strong, b, em, i, u, s, a, sub, sup, mark
- Lists: ul, ol, li
- Tables: table, thead, tbody, tr, th, td
- Media placeholders: img (with src validation)
Removed Content
The following are stripped completely:
- script tags and content
- style tags and content
- event handlers (onclick, onerror, etc.)
- javascript: and data: URLs
- iframe, object, embed tags
Usage
iex> PhoenixKit.Modules.Entities.HtmlSanitizer.sanitize("<p>Hello</p><script>alert('xss')</script>")
"<p>Hello</p>"
iex> PhoenixKit.Modules.Entities.HtmlSanitizer.sanitize("<a href="javascript:alert('xss')">Click</a>")
"<a>Click</a>"Summary
Functions
Sanitizes HTML content by removing dangerous elements and attributes.
Sanitizes all rich_text fields in an entity data map.
Functions
Sanitizes HTML content by removing dangerous elements and attributes.
Returns sanitized HTML string that is safe to render.
Parameters
html- The HTML string to sanitize
Examples
iex> PhoenixKit.Modules.Entities.HtmlSanitizer.sanitize("<p onclick="alert('xss')">Hello</p>")
"<p>Hello</p>"Sanitizes all rich_text fields in an entity data map.
Takes entity field definitions and data, returns data with all rich_text fields sanitized.
Parameters
fields_definition- List of field definition mapsdata- Map of field key => value
Examples
iex> fields = [%{"type" => "rich_text", "key" => "content"}]
iex> data = %{"content" => "<script>alert('xss')</script><p>Hello</p>"}
iex> PhoenixKit.Modules.Entities.HtmlSanitizer.sanitize_rich_text_fields(fields, data)
%{"content" => "<p>Hello</p>"}