{"id":28425386,"url":"https://github.com/youzan/ngx_http_html_sanitize_module","last_synced_at":"2025-10-25T12:42:52.736Z","repository":{"id":81153911,"uuid":"88727711","full_name":"youzan/ngx_http_html_sanitize_module","owner":"youzan","description":"It's a nginx http module to sanitize HTML5 with whitelisted elements, whitelisted attributes and whitelisted CSS property","archived":false,"fork":false,"pushed_at":"2019-08-08T22:07:21.000Z","size":2263,"stargazers_count":15,"open_issues_count":1,"forks_count":9,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-06-05T10:50:33.324Z","etag":null,"topics":["html-sanitizer","nginx","xss"],"latest_commit_sha":null,"homepage":null,"language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/youzan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-04-19T09:39:12.000Z","updated_at":"2022-11-18T03:50:07.000Z","dependencies_parsed_at":null,"dependency_job_id":"cdd47508-3ca9-43b8-8054-acb44ea0edea","html_url":"https://github.com/youzan/ngx_http_html_sanitize_module","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/youzan/ngx_http_html_sanitize_module","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/youzan%2Fngx_http_html_sanitize_module","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/youzan%2Fngx_http_html_sanitize_module/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/youzan%2Fngx_http_html_sanitize_module/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/youzan%2Fngx_http_html_sanitize_module/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/youzan","download_url":"https://codeload.github.com/youzan/ngx_http_html_sanitize_module/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/youzan%2Fngx_http_html_sanitize_module/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262022131,"owners_count":23246264,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["html-sanitizer","nginx","xss"],"created_at":"2025-06-05T10:37:22.404Z","updated_at":"2025-10-25T12:42:52.730Z","avatar_url":"https://github.com/youzan.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"[gumbo-parser]: https://github.com/google/gumbo-parser\n[katana-parser]: https://github.com/hackers-painters/katana-parser\n[google/gumbo-parser]: https://github.com/google/gumbo-parser\n[hackers-painters/katana-parser]: https://github.com/hackers-painters/katana-parser\n[nginx]: https://nginx.org/\n[license]: /license\n[expression]: https://msdn.microsoft.com/en-us/library/ms537634(v=vs.85).aspx\n[ngx_http_html_sanitize_module]: https://github.com/youzan/ngx_http_html_sanitize_module\n[url]: https://developer.mozilla.org/en-US/docs/Web/CSS/url\n[linkable_attribute]: #linkable_attribute\n[directive]: #directive\n[html_sanitize]: #html_sanitize\n[html_sanitize_hash_max_size]: #html_sanitize_hash_max_size\n[html_sanitize_hash_bucket_size]: #html_sanitize_hash_bucket_size\n[html_sanitize_element]: #html_sanitize_element\n[html_sanitize_attribute]: #html_sanitize_attribute\n[html_sanitize_style_property]: #html_sanitize_style_property\n[html_sanitize_url_protocol]: #html_sanitize_url_protocol\n[html_sanitize_url_domain]: #html_sanitize_url_domain\n[html_sanitize_iframe_url_protocol]: #html_sanitize_iframe_url_protocol\n[html_sanitize_iframe_url_domain]: #html_sanitize_iframe_url_domain\n[querystring]: #querystring\n[document]: #document\n[html]: #html\n[script]: #script\n[style]: #style\n[namespace]: #namespace\n[context]: #context\n[element]: #element\n[attribute]: #attribute\n[style_property]: #style_property\n[style_property_value]: #style_property_value\n[url_protocol]: #url_protocol\n[url_domain]: #url_domain\n[iframe_url_protocol]: #iframe_url_protocol\n[iframe_url_domain]: #iframe_url_domain\n\nName\n====\n\n[ngx_http_html_sanitize_module] - It's base on google's [gumbo-parser] as HTML5 parser and hackers-painters's [katana-parser] as inline CSS parser to sanitize HTML with whitelisted elements, whitelisted attributes and whitelisted CSS property.\n\nTOC\n=================\n\n* [Name](#name)\n* [Status](#status)\n* [Example](#example)\n* [Description](#description)\n* [Benchrmark](#benchmark)\n* [TODO](#todo)\n* [Directive](#directive)\n  * [html_sanitize](#html_sanitize)\n  * [html_sanitize_hash_max_size](#html_sanitize_hash_max_size)\n  * [html_sanitize_hash_bucket_size](#html_sanitize_hash_bucket_size)\n  * [html_sanitize_element](#html_sanitize_element)\n  * [html_sanitize_attribute](#html_sanitize_attribute)\n  * [html_sanitize_url_protocol](#html_sanitize_url_protocol)\n  * [html_sanitize_url_domain](#html_sanitize_url_domain)\n  * [html_sanitize_iframe_url_protocol](#html_sanitize_iframe_url_protocol)\n  * [html_sanitize_iframe_url_domain](#html_sanitize_iframe_url_domain)\n* [Querystring](#querystring)\n  * [document](#document)\n  * [html](#html)\n  * [script](#script)\n  * [style](#style)\n  * [namespace](#namespace)\n  * [context](#context)\n  * [element](#element)\n  * [attribute](#attribute)\n  * [style_property](#style_property)\n  * [style_property_value](#style_property_value)\n  * [url_protocol](#url_protocol)\n  * [url_domain](#url_domain)\n  * [iframe_url_protocol](#iframe_url_protocol)\n  * [iframe_url_domain](#iframe_url_domain)\n* [Copyright](#copyright)\n\n\nStatus\n======\n[![Build Status](https://travis-ci.org/youzan/ngx_http_html_sanitize_module.svg?branch=master)](https://travis-ci.org/youzan/ngx_http_html_sanitize_module)\n\nProduction Ready :-)\n\n\nExample\n=======\n\nThere is a example of [nginx] configuration according to the [https://dev.w3.org/html5/html-author/#the-elements](https://dev.w3.org/html5/html-author/#the-elements) as the following:\n\n```nginx\nserver {\n    listen 8888;\n\n    location = /sanitize {\n        # Explicitly set utf-8 encoding\n        add_header Content-Type \"text/html; charset=UTF-8\";\n\n        client_body_buffer_size 10M;\n        client_max_body_size 10M;\n\n        html_sanitize on;\n\n        # Check https://dev.w3.org/html5/html-author/#the-elements\n\n        # Root Element\n        html_sanitize_element html;\n\n        # Document Metadata\n        html_sanitize_element head title base link meta style;\n\n        # Scripting\n        html_sanitize_element script noscript;\n\n        # Sections\n        html_sanitize_element body section nav article aside h1 h2 h3 h4 h5 h6 header footer address;\n\n        # Grouping Content\n        html_sanitize_element p hr br pre dialog blockquote ol ul li dl dt dd;\n\n        # Text-Level Semantics\n        html_sanitize_element a q cite em strong small mark dfn abbr time progress meter code var samp kbd sub sup span i b bdo ruby rt rp;\n\n        # Edits\n        html_sanitize_element ins del;\n\n        # Embedded Content\n        htlm_sanitize_element figure img iframe embed object param video audio source canvas map area;\n\n        # Tabular Data\n        html_sanitize_element table caption colgroup col tbody thead tfoot tr td th;\n\n        # Forms\n        html_sanitize_element form fieldset label input button select datalist optgroup option textare output;\n\n        # Interactive Elements\n        html_sanitize_element details command bb menu;\n\n        # Miscellaneous Elements\n        html_sanitize_element legend div;\n\n        html_sanitize_attribute *.style;\n        html_sanitize_attribute a.href a.hreflang a.name a.rel;\n        html_sanitize_attribute col.span col.width colgroup.span colgroup.width;\n        html_sanitize_attribute data.value del.cite del.datetime;\n        html_sanitize_attribute img.align img.alt img.border img.height img.src img.width;\n        html_sanitize_attribute ins.cite ins.datetime li.value ol.reversed ol.stasrt ol.type ul.type;\n        html_sanitize_attribute table.align table.bgcolor table.border table.cellpadding table.cellspacing table.frame table.rules table.sortable table.summary table.width;\n        html_sanitize_attribute td.abbr td.align td.axis td.colspan td.headers td.rowspan td.valign td.width;\n        html_sanitize_attribute th.abbr th.align th.axis th.colspan th.rowspan th.scope th.sorted th.valign th.width;\n\n        html_sanitize_style_property color font-size;\n\n        html_sanitize_url_protocol http https tel;\n        html_sanitize_url_domain *.google.com google.com;\n\n        html_sanitize_iframe_url_protocol http https;\n        html_sanitize_iframe_url_domain  facebook.com *.facebook.com;\n    }\n}\n```\n\nAnd It's recommanded to use the below commnand to sanitize HTML5:\n\n```bash\n$ curl -X POST -d \"\u003ch1\u003eHello World \u003c/h1\u003e\" http://127.0.0.1:8888/sanitize?element=2\u0026attribute=1\u0026style_property=1\u0026style_property_value=1\u0026url_protocol=1\u0026url_domain=0\u0026iframe_url_protocol=1\u0026iframe_url_domain=0\n\n\u003ch1\u003eHello World \u003c/h1\u003e\n```\n\nThis querystring `element=2\u0026attribute=1\u0026style_property=1\u0026style_property_value=1\u0026url_protocol=1\u0026url_domain=0\u0026iframe_url_protocol=1\u0026iframe_url_domain=0` is the as following:\n\n* element=2: output whitelisted element by [html_sanitize_element]\n* attribute=1: output any attribute by [html_sanitize_attribute]\n* style_property=1: output any style property by [html_sanitize_style_property]\n* style_property_value=1: check the style value for [url] function and [expression] function to avoid XSS inject by  [style_property_value]\n* url_protocol=1: check whitelisted url_protocol for absoluted URL by [html_sanitize_url_protocol]\n* url_domain=0: do not check url domain for absoluted URL\n* iframe_url_protocol=1: is the same as [url_protocol] but only for `iframe.src` by [html_sanitize_iframe_url_protocol]\n* iframe_url_domain=0: is the same as [url_domain] but only for `iframe.src` by [html_sanitize_iframe_url_domain]\n\nWith [ngx_http_html_sanitize_module], we have the ability to specify whether output HTML5's element 、attribute and inline CSS's property by [directive] and [querystring] as the following:\n\nwhitelisted element\n-------------------\n\n* disable element:\n\n  if we do not want to output any element, we can do this as the following:\n\n```bash\ncurl -X POST -d \"\u003ch1\u003eh1\u003c/h1\u003e\" http://127.0.0.1:8888/sanitize?element=0\n\n```\n\n* enable element:\n\n  if we want to output any element, we can do this as the following:\n```bash\n$ curl -X POST -d \"\u003ch1\u003eh1\u003c/h1\u003e\u003ch7\u003eh7\u003c/h7\u003e\" http://127.0.0.1:8888/sanitize?element=1\n\n\u003ch1\u003eh1\u003c/h1\u003e\u003ch7\u003eh7\u003c/h7\u003e\n\n```\n\n* enable whitelisted element:\n\n  if we want to output whitelisted element, we can do this as the following\n\n```bash\n$ curl -X POST -d \"\u003ch1\u003eh1\u003c/h1\u003e\u003ch7\u003eh7\u003c/h7\u003e\" http://127.0.0.1:8888/sanitize?element=1\n\n\u003ch1\u003eh1\u003c/h1\u003e\n```\n\nwhitelisted attribute\n---------------------\n\n* disable attribute:\n\n  if we do not want to output any attribute, we can do this as the following:\n\n```bash\ncurl -X POST -d \"\u003ch1 ha=\\\"ha\\\"\u003eh1\u003c/h1\u003e\" \"http://127.0.0.1:8888/sanitize?element=1\u0026attribute=0\"\n\n\u003ch1\u003eh1\u003c/h1\u003e\n```\n\n* enable attribute:\n\n  if we want to output any attribute, we can do this as the following:\n```bash\n$ curl -X POST -d \"\u003ch1 ha=\\\"ha\\\"\u003eh1\u003c/h1\u003e\" \"http://127.0.0.1:8888/sanitize?element=1\u0026attribute=1\"\n\n\u003ch1 ha=\"ha\"\u003eh1\u003c/h1\u003e\n\n```\n\n* enable whitelisted attribute:\n\n  if we want to output whitelisted element, we can do this as the following:\n\n```bash\n$ curl -X POST -d \"\u003cimg src=\\\"/\\\" ha=\\\"ha\\\" /\u003e\" \"http://127.0.0.1:8888/sanitize?element=1\u0026attribute=2\"\n\n\u003cimg src=\"/\" /\u003e\n```\n\nwhitelisted style property\n---------------------\n\n* disable style property:\n\n  if we do not want to output any style property, we can do this as the following:\n\n```bash\n# It will do not output any style property\ncurl -X POST -d \"\u003ch1 style=\\\"color:red;\\\"\u003eh1\u003c/h1\u003e\" \"http://127.0.0.1:8888/sanitize?element=1\u0026attribute=1\u0026style_property=0\"\n\n\u003ch1\u003eh1\u003c/h1\u003e\n```\n\n* enable style property:\n\n  if we want to output any style property, we can do this as the following:\n```bash\n$ curl -X POST -d \"\u003ch1 style=\\\"color:red;text-align:center;\\\"\u003eh1\u003c/h1\u003e\" \"http://127.0.0.1:8888/sanitize?element=1\u0026attribute=1\u0026style_property=1\"\n\n\u003ch1 style=\"color:red;text-align:center\"\u003eh1\u003c/h1\u003e\n```\n\n* enable whitelisted style property:\n\n  if we want to output whitelisted style property, we can do this as the following:\n\n```bash\n$ curl -X POST -d \"\u003ch1 style=\\\"color:red;text-align:center;\\\" \u003eh1\u003c/h1\u003e\" \"http://127.0.0.1:8888/sanitize?element=1\u0026attribute=1\u0026style_property=2\"\n\n\u003ch1 style=\"color:red;\"\u003eh1\u003c/h1\u003e\n```\n\nDescription\n===========\n\nNow the implement of [ngx_http_html_sanitize_module] is based on [gumbo-parser] and [katana-parser]. And we make the combo upon it then run it on [nginx] to as a center web service maintained by professional security people for discarding language-level difference. If we want to gain more higher performance (here is the [brenchmark](#benchmark)), it's recommanded to write language-level library wrapering above pure c library to overcome the overhead of network transmission.\n\nBenchmark\n=========\n\nTesting with `wrk -s benchmarks/shot.lua -d 60s \"http://127.0.0.1:8888\"` on Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40GHz and 64GB memory\n\n| Name | Size | Avg Latency | QPS\n| ------------- |:-------------:| -----:| -----:|\n| [hacker_news.html](/benchmarks/hacker_news.html) | 30KB | 9.06ms | 2921.82\n| [baidu.html](/benchmarks/baidu.html) | 76KB | 13.41ms | 1815.75\n| [arabic_newspapers.html](/benchmarks/arabic_newspapers.html) | 78KB | 16.58ms| 1112.70 |\n| [bbc.html](/benchmakrs/bbc.html) | 115KB | 17.96ms |993.12\n| [xinhua.html](/benchmarks/xinhua.html) | 323KB | 33.37ms | 275.39\n| [google.html](/benchmakrs/google.html) | 336KB | 26.78ms | 351.54\n| [yahoo.html](/benchmakrs/yahoo.html) | 430KB | 29.16ms | 323.04\n| [wikipedia.html](/benchmakrs/wikipedia.html) | 511KB | 57.62ms | 160.10\n| [html5_spec.html](/benchmarks/html5_spec.html) | 7.7MB | 1.63s | 2.00\n\nTODO\n===========\n\n* gumbo-parser (hard): Improvement with SSE-4.2 to speed up string processing\n* gumbo-parser (hard): Additional performance improvements with algorithm level\n* katana-parser (hard): Improvement with SSE-4.2 to speed up string processing\n* katana-parser (hard): Additional performance improvements with algorithm level\n* directive (optional): Add mode directives to carefully control HTML5 and inline CSS output\n* html_sanitize_attribute (hard): Add new algorithm instead of current hash find to reduce memory allocation\n* tests (easy): Pass more xss security tests\n* querystring (optional): Allow foreign whitelisted querystring to control whitelisted elements、attributes、style_properties.\n\nA tips to optimize performance is learn from the On-CPU Flamegraph as the following:\n\n[![flamegraph](https://cdn.rawgit.com/youzan/ngx_http_html_sanitize_module/master/flamegraphs/html_sanitize_gumbo_parse.svg)](https://cdn.rawgit.com/youzan/ngx_http_html_sanitize_module/master/flamegraphs/html_sanitize_gumbo_parse.svg)\n\nDirective\n========\n\nhtml_sanitize\n-------------\n\n**syntax:** *html_sanitize on | off*\n\n**default:** *html_sanitize on*\n\n**context:** *location*\n\nSpecifies whether enable html sanitize handler on location context\n\n\nhtml_sanitize_hash_max_size\n---------------------------\n\n**syntax:** *html_sanitize_hash_max_size size*\n\n**default:** *html_sanitize_hash_max_size 2048*\n\n**context:** *location*\n\nSets the maximum size of the element、attribute、style_property、url_protocol、url_domain、iframe_url_protocol、iframe_url_domain hash tables.\n\nhtml_sanitize_hash_bucket_size\n---------------------------\n\n**syntax:** *html_sanitize_hash_bucket_size size*\n\n**default:** *html_sanitize_hash_bucket_size 32|64|128*\n\n**context:** location\n\nSets the bucket size for element、attribute、style_property、url_protocol、url_domain、iframe_url_protocol、iframe_url_domain. The default value depends on the size of the processor’s cache line.\n\nhtml_sanitize_element\n---------------------------\n\n**syntax:** *html_sanitize_element element ...*\n\n**default:** -\n\n**context:** location\n\nSet the whitelisted HTML5 elements when enable whitelisted element by setting the querystring [element] whitelist mode as the following:\n\n``` nginx\nhtml_sanitize_element html head body;\n```\n\nhtml_sanitize_attribute\n---------------------------\n\n**syntax:** *html_sanitize_attribute attribute ...*\n\n**default:** -\n\n**context:** location\n\nSet the whitelisted HTML5 attributes when enable whitelisted element by setting the querystring [attribute] whitelist mode as the following:\n\n``` nginx\nhtml_sanitize_attribute a.href h1.class;\n```\n\nPS: attribute format must be the same as `element.attribute` and support `*.attribute` (prefix asterisk) and `element.*` (suffix asterisk)\n\nhtml_sanitize_style_property\n---------------------------\n\n**syntax:** *html_sanitize_style_property property ...*\n\n**default:** -\n\n**context:** location\n\nSet the whitelisted CSS property when enable whitelisted element by setting the querystring [style_property] whitelist mode as the following:\n\n```nginx\nhtml_sanitize_style_property color background-color;\n```\n\nhtml_sanitize_url_protocol\n---------------------------\n\n**syntax:** *html_sanitize_url_protocol [protocol] ...*\n\n**default:** -\n\n**context:** location\n\nSet the allowed URL protocol at [linkable attribute](#linkable_attribute) when only the URL is absoluted rahter than related and enable URL protocol check by setting the querystring [url_protocol] check mode as the following:\n\n```nginx\nhtml_sanitize_url_protocol http https tel;\n```\n\nhtml_sanitize_url_domain\n------------------------\n\n**syntax:** *html_sanitize_url_domain domain ...*\n\n**default:** -\n\n**context:** location\n\nSet the allowed URL domain at [linkable attribute](#linkable_attribute) when only the URL is absoluted rahter than relatived and enable URL protocol check、URL domain check by setting the querystring [url_protocol] check mode and the querystring [url_domain][#url_domain] check mode as the following:\n\n```nginx\nhtml_sanitize_url_domain *.google.com google.com;\n```\n\nhtml_sanitize_iframe_url_protocol\n--------------------------------\n\n**syntax:** *html_sanitize_iframe_url_protocol [protocol] ...*\n\n**default:** -\n\n**context:** location\n\nis the same as [html_sanitize_url_protocol] but only for `iframe.src` attribute\n\n```nginx\nhtml_sanitize_iframe_url_protocol http https tel;\n```\n\nhtml_sanitize_iframe_url_domain\n--------------------------------\n\n**syntax:** *html_sanitize_iframe_url_domain [protocol] ...*\n\n**default:** -\n\n**context:** location\n\nis the same as [html_sanitize_url_domain] but only for `iframe.src` attribute\n\n```nginx\nhtml_sanitize_iframe_url_domain *.facebook.com facebook.com;\n```\n\nlinkable_attribute\n=================\nThe linkable attribute is the following:\n\n* a.href\n* blockquote.cite\n* q.cite\n* del.cite\n* img.src\n* ins.cite\n* iframe.src\n* CSS URL function\n\nQuerystring\n==========\nthe querystring from request URL is used to control the [ngx_http_html_sanitize_module] internal action.\n\ndocument\n--------\n**value:** *0 or 1*\n\n**default:** *0*\n\n**context:** querystring\n\nSpecifies whether append `\u003c!DOCTYPE\u003e` to response body\n\nhtml\n--------\n**value:** *0 or 1*\n\n**default:** *0*\n\n**context:** querystring\n\nSpecifies whether append `\u003chtml\u003e\u003c/html\u003e` to response body\n\n\nscript\n--------\n**value:** *0 or 1*\n\n**default:** *0*\n\n**context:** querystring\n\nSpecifies whether allow `\u003cscript\u003e\u003c/script\u003e`\n\nstyle\n--------\n**value:** *0 or 1*\n\n**default:** *0*\n\n**context:** querystring\n\nSpecifies whether allow `\u003cstyle\u003e\u003c/style\u003e`\n\nnamespace\n--------\n**value:** *0、1 or 2*\n\n**default:** *0*\n\n**context:** querystring\n\nSpecifies the mode of gumbo-parser with the value as the following:\n\n* GUMBO_NAMESPACE_HTML: 0\n* GUMBO_NAMESPACE_SVG: 1\n* GUMBO_NAMESPACE_MATHML: 2\n\ncontext\n--------\n**value:** *[0, 150)*\n\n**default:** *38(GUMBO_TAG_DIV)*\n\n**context:** querystring\n\nSpecifies the context of gumbo-parser with the value at the this file [tag_enum.h](tag_enum.h)\n\nelement\n--------\n**value:** *0、1、2*\n\n**default:** *0*\n\n**context:** querystring\n\nSpecifies the mode of output element with the value as the following:\n\n   * 0: do not output element\n   * 1: output all elements\n   * 2: output whitelisted elements\n\nattribute\n--------\n**value:** *0、1、2*\n\n**default:** *0*\n\n**context:** querystring\n\nSpecifies the mode of output attribute with the value as the following:\n\n   * 0: do not output attributes\n   * 1: output all attributes\n   * 2: output whitelisted attributes\n\nstyle_property\n--------\n**value:** *0、1、2*\n\n**default:** *0*\n\n**context:** querystring\n\nSpecifies the mode of output CSS property with the value as the following:\n\n  * 0: do not output CSS property\n  * 1: output all CSS property\n  * 2: output whitelisted CSS property\n\nstyle_property_value\n--------\n**value:** *0、1*\n\n**default:** *0*\n\n**context:** querystring\n\nSpecifies the mode of output CSS property_value with the value as the following:\n\n  * 0: do not check the CSS property's value\n  * 1: check the CSS property's value for [URL] function and IE's expression function to avoid XSS inject\n\nurl_protocol\n-----------\n**value:** *0、1*\n\n**default:** *0*\n\n**context:** querystring\n\nSpecifies whether check the URL protocol at [linkable_attribute]. The value is as the following:\n\n  * 0: do not check the URL protocol\n  * 1: output whitelisted URL protocol\n\nurl_domain\n----------\n**value:** *0、1*\n\n**default:** *0*\n\n**context:** querystring\n\nSpecifies whether check the URL domain at [linkable_attribute] when enable [url_protocol] check. The value is  as the following:\n\n  * 0: do not check the URL domain\n  * 1: output whitelisted URL domain\n\niframe_url_protocol\n--------\n**value:** *0、1*\n\n**default:** *0*\n\n**context:** querystring\n\nis the same as [url_protocol] but only for `iframe.src`\n\niframe_url_domain\n--------\n**value:** *0、1*\n\n**default:** *0*\n\n**context:** querystring\n\nis the same as [url_domain] but only for `iframe.src`\n\nCopyright\n========\n[ngx_http_html_sanitize_module] is licensed under the Apache License, Version 2.0. See [LICENSE] for the complete license text.\n\nCopyright 2017, By detailyang \"Yang Bingwu\" Youzan Inc. All Rights Reserved.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n  http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n\nNotice\n-----\nNote that [ngx_http_html_sanitize_module] bundles many projects with different license as the following:\n\ngoogle/gumbo-parser: [https://github.com/google/gumbo-parser](https://github.com/google/gumbo-parser)\n\nhackers-painters/katana-parser: [https://github.com/hackers-painters/katana-parser](https://github.com/hackers-painters/katana-parse)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyouzan%2Fngx_http_html_sanitize_module","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyouzan%2Fngx_http_html_sanitize_module","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyouzan%2Fngx_http_html_sanitize_module/lists"}