html_sanitize_url_protocol
The html_sanitize_url_protocol directive specifies allowed URL protocols for links in sanitized HTML content.
Description
The html_sanitize_url_protocol directive is part of the NGINX HTML sanitization module and is designed to ensure that only whitelisted URL protocols are permitted in sanitized HTML output. This directive can be especially useful in applications where user-generated content is processed, helping to prevent potential security risks associated with malicious links. By explicitly defining which protocols are allowed (e.g., http, https), the directive filters URLs and prevents the inclusion of harmful content by stripping away any links that do not conform to the specified protocols.
You can configure multiple allowed protocols by specifying them as arguments to this directive. When the server processes an incoming request, it checks each URL present in the sanitized HTML content against the list of allowed protocols. If the protocol of a particular link is not included in this list, the link is discarded during the sanitization process. This enhances security by minimizing exposure to untrusted or unsafe protocols while preserving the functionality of user-generated content that adheres to the defined standards.
Config Example
location /sanitize {
html_sanitize;
html_sanitize_url_protocol http https;
}Ensure that at least one protocol is specified; otherwise, no URLs will be allowed.
If you specify multiple protocols, they must be separated by spaces.
The directive only applies to attributes that accept URL values such as href and src.