I'm using the npm package Caja-HTML-Sanitizer under node.js.
I can sanitize the html input using the sanitizer() function but how do I use a whitelist to only allow certain tags(eg. p br strong)?
Thanks!
That package doesn't look like it's up to date — the actual sanitizer file is at least three years old (according to the git timestamp). I wouldn't recommend using that version.
Unfortunately, there is currently no parameter to the sanitizer which simply supplies an alternate whitelist. (There are reasons this might change in the future, but that hasn't happened yet.)
The most straightforward way to modify the built-in whitelist is to obtain a Caja source tree, modify src/com/google/caja/lang/html/*-whitelist.json and rebuild ($ ant); the sanitizer in the same form as you found is built in ant-lib/com/google/caja/plugin/html-sanitizer-bundle.js.
You can also customize the behavior directly using the tag policy. Instead of calling sanitize(html), use sanitizeWithPolicy:
var basicPolicy = html.makeTagPolicy();
function customPolicy(tagName, attribs) {
if (/* whatever additional condition you want */) {
return basicPolicy(tagName, attribs);
}
}
...
return html.sanitizeWithPolicy(input, customPolicy);
However, this requires you to program your desired restriction rather than using the existing whitelist logic with existing data. It is also more sensitive to possible changes to the sanitizer API in the future.