trycf/trycf-gist-1655484529810-61cd8472-317b-665e-086d-6ad57dd4986f.cfm

## trycf-gist-1655484529810-61cd8472-317b-665e-086d-6ad57dd4986f.cfm
<cfscript>
javaPattern = CreateObject("java", "java.util.regex.Pattern");
owaspPolicy = CreateObject("java", "org.owasp.html.HtmlPolicyBuilder").init()
	.allowCommonBlockElements() // BLOCKS
	.allowCommonInlineFormattingElements() // FORMATTING
	// LINKS
	.allowStandardUrlProtocols()
	.allowElements(["a"])
	.allowAttributes(["href", "target"]).onElements(["a"]).requireRelNofollowOnLinks()
	.allowStyling() // STYLES
	.allowElements(["img"]) // IMAGES
	.allowAttributes(["alt", "src"]).onElements(["img"])
	.allowAttributes(["border", "height", "width"]).matching(javaPattern.compile("[0-9%]+")).onElements(["img"])
	// TABLES
	.allowElements(["table", "tr", "td", "th", "colgroup", "caption", "col", "thead", "tbody", "tfoot"])
	.allowAttributes(["summary"]).onElements(["table"])
	.allowAttributes(["align"]).matching(true, ["center", "left", "right", "justify"]).globally() // true = ignoreCase
	.allowAttributes(["valign"]).matching(true, ["top", "middle", "bottom", "baseline"]).onElements(["table", "tr", "td", "th", "colgroup", "col", "thead", "tbody", "tfoot"])
	.allowTextIn(["table"])
	// OTHER
	.allowAttributes(["class", "title"]).globally()
	.allowAttributes(["lang"]).matching(javaPattern.compile("[a-zA-Z]{2,20}")).globally()
	.toFactory()
;
UserInput = '<p>Here is a <a href="https://www.bennadel.com" target="_blank">link with target</a>,';
UserInput &= ' <blink>blink</blink> and <script>alert(`XSS`)</script>script tags that should be stripped,';
UserInput &= ' and some <span style="color: red;"><b>bold red</b></span> text.';
UserInput &= ' (Inspect the HTML source to verify.)</p>';
echo(UserInput.SanitizeHTML(owaspPolicy));
</cfscript>
	<cfscript>
	javaPattern = CreateObject("java", "java.util.regex.Pattern");
	owaspPolicy = CreateObject("java", "org.owasp.html.HtmlPolicyBuilder").init()
	.allowCommonBlockElements() // BLOCKS
	.allowCommonInlineFormattingElements() // FORMATTING
	// LINKS
	.allowStandardUrlProtocols()
	.allowElements(["a"])
	.allowAttributes(["href", "target"]).onElements(["a"]).requireRelNofollowOnLinks()
	.allowStyling() // STYLES
	.allowElements(["img"]) // IMAGES
	.allowAttributes(["alt", "src"]).onElements(["img"])
	.allowAttributes(["border", "height", "width"]).matching(javaPattern.compile("[0-9%]+")).onElements(["img"])
	// TABLES
	.allowElements(["table", "tr", "td", "th", "colgroup", "caption", "col", "thead", "tbody", "tfoot"])
	.allowAttributes(["summary"]).onElements(["table"])
	.allowAttributes(["align"]).matching(true, ["center", "left", "right", "justify"]).globally() // true = ignoreCase
	.allowAttributes(["valign"]).matching(true, ["top", "middle", "bottom", "baseline"]).onElements(["table", "tr", "td", "th", "colgroup", "col", "thead", "tbody", "tfoot"])
	.allowTextIn(["table"])
	// OTHER
	.allowAttributes(["class", "title"]).globally()
	.allowAttributes(["lang"]).matching(javaPattern.compile("[a-zA-Z]{2,20}")).globally()
	.toFactory()
	;
	UserInput = '<p>Here is a <a href="https://www.bennadel.com" target="_blank">link with target</a>,';
	UserInput &= ' <blink>blink</blink> and <script>alert(`XSS`)</script>script tags that should be stripped,';
	UserInput &= ' and some <span style="color: red;"><b>bold red</b></span> text.';
	UserInput &= ' (Inspect the HTML source to verify.)</p>';
	echo(UserInput.SanitizeHTML(owaspPolicy));
	</cfscript>