plexus/sanitize.clj

## sanitize.clj
(ns lambdaisland.html.sanitize)

(defn sanitizer [allowed]
  (fn sanitize [h]
    (let [tag-ok? (set (keys allowed))]
      (cond
        (string? h) h
        (vector? h) (let [[tag & xs] h
                          [attrs & cs] xs]
                      (if (tag-ok? tag)
                        (if (seq xs)
                          `[~tag
                            ~(if (map? attrs)
                               (select-keys attrs (get allowed tag))
                               (sanitize attrs))
                            ~@(keep sanitize cs)]
                          [tag])))
        (seq? h) (keep sanitize h)))))

(def sanitize (sanitizer {:p []
                          :span []
                          :div []
                          :pre []
                          :code [:class]
                          :a [:href]
                          :li []
                          :ul []
                          :ol []
                          :del []
                          :em []
                          :strong []
                          :br []
                          :b []
                          :i []}))

## sanitize_test.clj
(ns lambdaisland.html.sanitize-test
  (:require [lambdaisland.html.sanitize :as sut]
            [clojure.test :as t :refer [deftest is are]]))

(deftest test-sanitize-hiccup

  (are [x] (= (sut/sanitize x) x)
    [:p "foo"]
    [:a {:href "bar"}]
    [:a {:href "bar"} "foo"]
    [:div
     [:a {:href "bar"} "foo"]
     [:a {:href "bar"} "baz"]]
    '([:div
       [:a {:href "bar"} "foo"]
       [:a {:href "bar"} "baz"]]))


  (are [x y] (= (sut/sanitize x) y)
    [:script "foo"]
    nil

    [:a {:href "bar" :on-click "evil"}]
    [:a {:href "bar"}]

    '([:div
       [:a {:href "bar"} "foo"]
       [:script {:type "application/javascript"} "evil!"]
       [:a {:href "bar" :on-click "not-allowed"} "baz"]])
    '([:div
       [:a {:href "bar"} "foo"]
       [:a {:href "bar"} "baz"]])))
	(ns lambdaisland.html.sanitize)

	(defn sanitizer [allowed]
	(fn sanitize [h]
	(let [tag-ok? (set (keys allowed))]
	(cond
	(string? h) h
	(vector? h) (let [[tag & xs] h
	[attrs & cs] xs]
	(if (tag-ok? tag)
	(if (seq xs)
	`[~tag
	~(if (map? attrs)
	(select-keys attrs (get allowed tag))
	(sanitize attrs))
	~@(keep sanitize cs)]
	[tag])))
	(seq? h) (keep sanitize h)))))

	(def sanitize (sanitizer {:p []
	:span []
	:div []
	:pre []
	:code [:class]
	:a [:href]
	:li []
	:ul []
	:ol []
	:del []
	:em []
	:strong []
	:br []
	:b []
	:i []}))
	(ns lambdaisland.html.sanitize-test
	(:require [lambdaisland.html.sanitize :as sut]
	[clojure.test :as t :refer [deftest is are]]))

	(deftest test-sanitize-hiccup

	(are [x] (= (sut/sanitize x) x)
	[:p "foo"]
	[:a {:href "bar"}]
	[:a {:href "bar"} "foo"]
	[:div
	[:a {:href "bar"} "foo"]
	[:a {:href "bar"} "baz"]]
	'([:div
	[:a {:href "bar"} "foo"]
	[:a {:href "bar"} "baz"]]))


	(are [x y] (= (sut/sanitize x) y)
	[:script "foo"]
	nil

	[:a {:href "bar" :on-click "evil"}]
	[:a {:href "bar"}]

	'([:div
	[:a {:href "bar"} "foo"]
	[:script {:type "application/javascript"} "evil!"]
	[:a {:href "bar" :on-click "not-allowed"} "baz"]])
	'([:div
	[:a {:href "bar"} "foo"]
	[:a {:href "bar"} "baz"]])))