html_sanitize
The 'html_sanitize' directive configures NGINX to sanitize HTML input by allowing only specified elements, attributes, and CSS properties.
Description
The 'html_sanitize' directive is part of the NGINX HTML Sanitization module, which utilizes the gumbo-parser for parsing HTML5 and katana-parser for inline CSS. This directive is primarily used in a 'location' context to apply sanitization rules to incoming HTML content, ensuring that the output only contains whitelisted elements and attributes as defined by the administrator.
When this directive is enabled and set to 'on', it triggers the sanitization process for any HTML content that passes through the specified location. The sanitization process involves parsing the HTML data, identifying elements and attributes, and then filtering out any that are not explicitly allowed. This approach helps in mitigating XSS (Cross-Site Scripting) vulnerabilities by ensuring that only safe and validated HTML is returned to the client. Users can also customize the list of allowed elements, attributes, and CSS properties using related directives such as 'html_sanitize_element' or 'html_sanitize_attribute'.
Config Example
location /sanitize {
html_sanitize on;
html_sanitize_element div;
html_sanitize_attribute src;
html_sanitize_style_property color;
}Ensure you explicitly allow all necessary elements and attributes; otherwise, they will be stripped from the output.
Remember that enabling sanitization can alter valid HTML if not configured correctly, potentially breaking your pages.