xssan 0.2.0

Crate that sanitizes HTML to prevent XSS vulnerabilities.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

//! # Allocating sanitization functions
//! This module contains functions that may allocate more memmory and may increase the size of the
//! string containing the text being sanitized.

/// This funcion will replace all occurencies of `<` and `>` with `&lt;` and `&rt;` so they
/// will look when rendered by browser like regular versions of them self's but can not be used
/// to execute JS.
/// This function works on all types that implement the `Into<String>` trait.
/// # Examples
/// ```
/// use xssan::allocating::*;
/// let sanitized_string = sanitize_string("<p onclick=\"alert(0)\">hello there</p>");
/// ```
pub fn sanitize_string<T: Into<String>>(input: T) -> String {
    let a: String = input.into();
    a.replace('<', "&lt;").replace('>', "&rt;")
}
pub trait AllocatingSanitizer {
    /// This funcion will replace all occurencies of `<` and `>` with `&lt;` and `&rt;` so they
    /// will look when rendered by browser like regular versions of them self's but can not be used
    /// to execute JS
    /// # Examples
    /// ```
    /// //this string when appended to html will cause execution of malicious javascript
    /// let a = "<script>alert(0);</script>".to_string();
    /// // this one not
    /// use xssan::allocating::AllocatingSanitizer;
    /// let a = "<script>alert(0);</script>".to_string().sanitize();
    /// ```
    fn sanitize(&mut self);
}
impl AllocatingSanitizer for String {
    /// # Example
    /// ```
    /// use xssan::allocating::AllocatingSanitizer;
    /// let a = "<script>alert(0);</script>".to_string().sanitize();
    /// ```
    fn sanitize(&mut self) {
        *self = self.replace('<', "&lt;").replace('<', "&rt;");
    }
}

/// This function removes all html tags from the string.
/// As html tag is considered any substring starting with `<` and ending with `>`.
/// Everything in between these characters will be deleted.
/// # Examples
/// ```
/// use xssan::allocating::remove_html_tags;
/// // Removes the <b> tag from the input string.
/// let result = remove_html_tags("Hello <b>world!</b>");
/// assert_eq!(result, "Hello world!");
///
/// // Removes the <i> tag from the input string.
/// let result = remove_html_tags("This is an <i>bold text</i> example.");
/// assert_eq!(result, "This is an bold text example.");
/// ```
pub fn remove_html_tags<T: Into<String>>(input: T) -> String {
    // we will search for the first < and than remove everything between it and >
    let mut start: Option<usize> = None;
    let mut it: usize = 0;
    let mut input: String = input.into();
    while it < input.len() {
        match input[it..(it + 1)].as_ref() {
            "<" => {
                if start == None {
                    start = Some(it);
                }
            }
            ">" => {
                if let Some(loc) = start {
                    input.drain(loc..(it + 1));
                    it = loc;
                    start = None;
                    continue;
                }
            }
            _ => {}
        }
        it += 1;
    }
    input
}

#[cfg(test)]
mod tests_allocating {
    use super::*;

    #[test]
    fn sanitize_string_0() {
        let s = "<h1>hi!</h1>".to_string();
        assert_eq!("&lt;h1&rt;hi!&lt;/h1&rt;".to_string(), sanitize_string(s));
    }

    #[test]
    fn remove_html_tags_0() {
        let s = "<h1>hi!</h1>".to_string();
        assert_eq!("hi!".to_string(), remove_html_tags(s));
    }
    #[test]
    fn remove_html_tags_1() {
        let s = "<h1>>hi!</h1>".to_string();
        assert_eq!(">hi!".to_string(), remove_html_tags(s));
    }
    #[test]
    fn remove_html_tags_2() {
        let s = "<h1<>>hi!</h1>".to_string();
        assert_eq!(">hi!".to_string(), remove_html_tags(s));
    }
    #[test]
    fn remove_html_tags_3() {
        let s = "<h1<p>>hi!</h1>".to_string();
        assert_eq!(">hi!".to_string(), remove_html_tags(s));
    }
    #[test]
    fn remove_html_tags_4() {
        let s = "<h1 onclick=\"alert(0)\">hi!</h1>".to_string();
        assert_eq!("hi!".to_string(), remove_html_tags(s));
    }
    #[test]
    fn remove_html_tags_5() {
        let s = "<h1 onclick=\"alert(0)\"><p>hi!</p></h1>".to_string();
        assert_eq!("hi!".to_string(), remove_html_tags(s));
    }
    #[test]
    fn remove_html_tags_6() {
        let s = "<h1<<<<<<<>>>>>>>hi!</h1>".to_string();
        assert_eq!(">>>>>>hi!".to_string(), remove_html_tags(s));
    }
    #[test]
    fn remove_html_tags_7() {
        let s = "<<<<<<<hi!".to_string();
        assert_eq!("<<<<<<<hi!".to_string(), remove_html_tags(s));
    }
}