Bluemonday is a fast and highly configurable HTML sanitizer implemented in Go. It processes untrusted user-generated content, filtering it against an allowlist of approved HTML elements and attributes to prevent Cross-Site Scripting (XSS) attacks.

Who should use bluemonday?

Bluemonday is intended for developers using Go in server-side applications that accept and display user-generated HTML content. It's particularly useful for those needing to secure their web pages against various XSS vulnerabilities arising from untrusted input.

How does bluemonday compare to other HTML sanitizers?

Bluemonday is designed for Go applications and is allowlist-based, similar to OWASP Java HTML Sanitizer and HTML Purifier. It leverages Go's net/html library for fast token-based parsing, focusing on sanitization against safe policies rather than repairing malformed HTML.

When should bluemonday be applied in a data processing pipeline?

Bluemonday should always be run as the final step after any other content processing, such as Markdown rendering with tools like Blackfriday or Pandoc. This order ensures that no insecure HTML is inadvertently introduced or re-introduced into the content at a later stage.

What are the policy options in bluemonday?

Bluemonday operates on allowlist-based policies, which can be custom-built or selected from two defaults: bluemonday.StrictPolicy() for extreme stripping, or bluemonday.UGCPolicy() which allows a broad range of common HTML elements and attributes suitable for user-generated content.

github.com · 11 JUL '21

bluemonday

Item: bluemonday
Rating: 5
Author: Simon Frey

bluemonday is a fast, configurable HTML sanitizer for Go. It's an essential tool for protecting web applications from XSS attacks by sanitizing untrusted user-generated content against an allowlist, something I consider crucial for robust security.

Visit github.com →

Questions & Answers

What is bluemonday?: Bluemonday is a fast and highly configurable HTML sanitizer implemented in Go. It processes untrusted user-generated content, filtering it against an allowlist of approved HTML elements and attributes to prevent Cross-Site Scripting (XSS) attacks.
Who should use bluemonday?: Bluemonday is intended for developers using Go in server-side applications that accept and display user-generated HTML content. It's particularly useful for those needing to secure their web pages against various XSS vulnerabilities arising from untrusted input.
How does bluemonday compare to other HTML sanitizers?: Bluemonday is designed for Go applications and is allowlist-based, similar to OWASP Java HTML Sanitizer and HTML Purifier. It leverages Go's net/html library for fast token-based parsing, focusing on sanitization against safe policies rather than repairing malformed HTML.
When should bluemonday be applied in a data processing pipeline?: Bluemonday should always be run as the final step after any other content processing, such as Markdown rendering with tools like Blackfriday or Pandoc. This order ensures that no insecure HTML is inadvertently introduced or re-introduced into the content at a later stage.
What are the policy options in bluemonday?: Bluemonday operates on allowlist-based policies, which can be custom-built or selected from two defaults: bluemonday.StrictPolicy() for extreme stripping, or bluemonday.UGCPolicy() which allows a broad range of common HTML elements and attributes suitable for user-generated content.

bluemonday

Questions & Answers

More from Libraries

HTML-to-markdown

html-distance

transform package

gocv

Rav1e

TypeID