{"_id":"osxh","_rev":"7-7c969cbc847983ae32195c1a800968ba","name":"osxh","description":"Obviously Safe XHTML","dist-tags":{"latest":"0.1.2"},"versions":{"0.1.0":{"name":"osxh","main":"./osxh.js","version":"0.1.0","author":{"name":"Philipp Hagemeister","email":"phihag@phihag.de"},"description":"Obviously Safe XHTML","scripts":{"test":"mocha ."},"repository":{"type":"git","url":"git://github.com/nodejitsu/http-server.git"},"dependencies":{"xmldom":"*"},"devDependencies":{"mocha":"*","jsdom":"*","simplesets":"*","cover":"*"},"license":"MIT","_npmUser":{"name":"phihag","email":"phihag@phihag.de"},"_id":"osxh@0.1.0","optionalDependencies":{},"engines":{"node":"*"},"_engineSupported":true,"_npmVersion":"1.1.4","_nodeVersion":"v0.6.19","_defaultsLoaded":true,"dist":{"shasum":"0f8ae254345b7895de10054e7df81a4224655dee","tarball":"http://registry.npmjs.org/osxh/-/osxh-0.1.0.tgz"},"maintainers":[{"name":"phihag","email":"phihag@phihag.de"}]},"0.1.1":{"name":"osxh","main":"./osxh.js","version":"0.1.1","author":{"name":"Philipp Hagemeister","email":"phihag@phihag.de"},"description":"Obviously Safe XHTML","scripts":{"test":"mocha ."},"repository":{"type":"git","url":"https://github.com/nodejitsu/http-server.git"},"dependencies":{"xmldom":"*"},"devDependencies":{"mocha":"*","jsdom":"*","simplesets":"*","cover":"*"},"license":"MIT","readme":"Obviously Safe XHTML\n====================\n\nOSXH is an XHTML dialect that's obviously safe to include in a website. It is intended to represent a user-formatted document, similar to [markdown](http://daringfireball.net/projects/markdown/). However, unlike markdown, OSXH is easy to extend with custom attributes (for example `data-example`).\n\nIn contrast to [Caja](https://github.com/theSmaw/Caja-HTML-Sanitizer) or [IE's toStaticHTML](http://msdn.microsoft.com/en-us/library/ie/cc848922.aspx), OSXH comes with an explicit specification of which code is valid. This means that the result is *reproducible*. Additionally, the result can always be rendered without downloading anything (this prevents [web bugs](http://en.wikipedia.org/wiki/Web_bug)).\n\nThe [numerous ways to defeat blacklists](http://ha.ckers.org/xss.html) do not apply since OSXH uses a white-list approach. OSXH and its implementations shouldn't only be safe, it should be obvious that they are.\n\nUsage (JavaScript)\n==================\n\nTo get an osxh object, simply call osxh with the desired configuration:\n\n    var osxhi = osxh({allowCSS: true});\n\nAlso, get a container element you want to render into:\n\n    var container = document.getElementById(\"container\");\n\nYou may want to style the container element in order to prevent user-supplied code from escaping it, like this:\n\n    #container {\n    \tposition: absolute;\n    \twidth: 80%;\n    \theight: 100px;\n    \toverflow: auto;\n\t}\n\nThen, render the unsafe `osxh_code` like this:\n\n\tvar osxh_code = \"<osxh><a href=\"javascript:alert('XSS');\">click here</a></osxh>\";\n    osxhi.renderInto(osxh_code, container);\n\nIf you want to generate osxh code yourself, call `serialize`:\n\n\tvar osxh_code = osxhi.serialize(container.childNodes);\n\nSpecification\n=============\n\nOSXH is an application of [XML](http://www.w3.org/TR/REC-xml/), with the following restrictions:\n\n* The root element must have the tag name `osxh`.\n* By default, all other elements must be one of `a`, `b`, `br`, `code`, `div`, `em`, `h1`, `h2`, `h3`, `h4`, `h5`, `h6`, `i`, `img`, `li`, `ol`, `p`, `span`, `strong`, `table`, `tbody`, `td`, `tfoot`, `th`, `thead`, `tr`, `u`, `ul`.\n* Attributes must be one of:\n    + `href` (only on `a`) may contain URLs starting with `http://`, `https://`, or `mailto:`.\n    + `src` (only on `img`) must start with either `data:image/gif;`, `data:image/jpeg;`, or `data:image/png;`.\n    + `alt` is allowed on `img`.\n    + `colspan` and `rowspan` are allowed on table cells, with integer values only.\n    + `title` is allowed everywhere.\n    + `class` attributes that contain a space-separated list of classes starting with `osxh_` are allowed. In particular, the following classes are suggested:\n        - `osxh_pre` for preformatted blocks of code (typical CSS: `white-space:pre`)\n        - `osxh_invisible` for temporarily invisible text, for example in a slide of a presentation (typical CSS: `visibility: hidden;`)\n    + `style` (only if the configuration includes `\"useCSS\": true`) may contain certain css declarations (see below)\n\n* XML nodes that are not elements, attributes or text nodes are ignored.\n\nStyles\n------\n\nIf `useCSS` is set in the configuration, osxh allows some CSS declarations. You should make sure to render only into a properly sandboxed container element, with `position` set to one of `absolute`, `relative`, or `fixed`, a fixed width/height, and `overflow` set to `auto`, `hidden` or `scroll`.\n\nIn any case, OSXH allows the following CSS properties:\n\n* `position` can be one of `absolute`, `relative`, `static`.\n* `left`, `right`, `top`, `bottom`, `width`, `height` can be any `auto`, a percent value (like `20%`), or another [length](http://www.w3.org/TR/css3-values/#lengths) (minus lengths relative to the original viewport).\n","readmeFilename":"README.md","_id":"osxh@0.1.1","dist":{"shasum":"9acffd6d3a6ca16de8ce54bef4bc153b2c55fcf0","tarball":"http://registry.npmjs.org/osxh/-/osxh-0.1.1.tgz"},"_npmVersion":"1.1.70","_npmUser":{"name":"phihag","email":"phihag@phihag.de"},"maintainers":[{"name":"phihag","email":"phihag@phihag.de"}]},"0.1.2":{"name":"osxh","main":"./osxh.js","version":"0.1.2","author":{"name":"Philipp Hagemeister","email":"phihag@phihag.de"},"description":"Obviously Safe XHTML","scripts":{"test":"mocha ."},"repository":{"type":"git","url":"https://github.com/nodejitsu/http-server.git"},"dependencies":{"xmldom":"*"},"devDependencies":{"mocha":"*","jsdom":"*","simplesets":"*","cover":"*"},"license":"MIT","readme":"Obviously Safe XHTML\n====================\n\nOSXH is an XHTML dialect that's obviously safe to include in a website. It is intended to represent a user-formatted document, similar to [markdown](http://daringfireball.net/projects/markdown/). However, unlike markdown, OSXH is easy to extend with custom attributes (for example `data-example`).\n\nIn contrast to [Caja](https://github.com/theSmaw/Caja-HTML-Sanitizer) or [IE's toStaticHTML](http://msdn.microsoft.com/en-us/library/ie/cc848922.aspx), OSXH comes with an explicit specification of which code is valid. This means that the result is *reproducible*. Additionally, the result can always be rendered without downloading anything (this prevents [web bugs](http://en.wikipedia.org/wiki/Web_bug)).\n\nThe [numerous ways to defeat blacklists](http://ha.ckers.org/xss.html) do not apply since OSXH uses a white-list approach. OSXH and its implementations shouldn't only be safe, it should be obvious that they are.\n\nUsage (JavaScript)\n==================\n\nTo get an osxh object, simply call osxh with the desired configuration:\n\n    var osxhi = osxh({allowCSS: true});\n\nAlso, get a container element you want to render into:\n\n    var container = document.getElementById(\"container\");\n\nYou may want to style the container element in order to prevent user-supplied code from escaping it, like this:\n\n    #container {\n    \tposition: absolute;\n    \twidth: 80%;\n    \theight: 100px;\n    \toverflow: auto;\n\t}\n\nThen, render the unsafe `osxh_code` like this:\n\n\tvar osxh_code = \"<osxh><a href=\"javascript:alert('XSS');\">click here</a></osxh>\";\n    osxhi.renderInto(osxh_code, container);\n\nIf you want to generate osxh code yourself, call `serialize`:\n\n\tvar osxh_code = osxhi.serialize(container.childNodes);\n\nSpecification\n=============\n\nOSXH is an application of [XML](http://www.w3.org/TR/REC-xml/), with the following restrictions:\n\n* The root element must have the tag name `osxh`.\n* By default, all other elements must be one of `a`, `b`, `br`, `code`, `div`, `em`, `figcaption`, `figure`, `h1`, `h2`, `h3`, `h4`, `h5`, `h6`, `i`, `img`, `li`, `ol`, `p`, `span`, `strong`, `table`, `tbody`, `td`, `tfoot`, `th`, `thead`, `tr`, `u`, `ul`.\n* Attributes must be one of:\n    + `href` (only on `a`) may contain URLs starting with `http://`, `https://`, or `mailto:`.\n    + `src` (only on `img`) must start with either `data:image/gif;`, `data:image/jpeg;`, or `data:image/png;`.\n    + `alt` is allowed on `img`.\n    + `colspan` and `rowspan` are allowed on table cells, with integer values only.\n    + `title` is allowed everywhere.\n    + `class` attributes that contain a space-separated list of classes starting with `osxh_` are allowed. In particular, the following classes are suggested:\n        - `osxh_pre` for preformatted blocks of code (typical CSS: `white-space:pre`)\n        - `osxh_invisible` for temporarily invisible text, for example in a slide of a presentation (typical CSS: `visibility: hidden;`)\n    + `style` (only if the configuration includes `\"useCSS\": true`) may contain certain css declarations (see below)\n\n* XML nodes that are not elements, attributes or text nodes are ignored.\n\nStyles\n------\n\nIf `useCSS` is set in the configuration, osxh allows some CSS declarations. You should make sure to render only into a properly sandboxed container element, with `position` set to one of `absolute`, `relative`, or `fixed`, a fixed width/height, and `overflow` set to `auto`, `hidden` or `scroll`.\n\nIn any case, OSXH allows the following CSS properties:\n\n* `position` can be one of `absolute`, `relative`, `static`.\n* `left`, `right`, `top`, `bottom`, `width`, `height` can be any `auto`, a percent value (like `20%`), or another [length](http://www.w3.org/TR/css3-values/#lengths) (minus lengths relative to the original viewport).\n","readmeFilename":"README.md","_id":"osxh@0.1.2","dist":{"shasum":"89cf8d6129b94db92da7e18696d957e8bcbb8563","tarball":"http://registry.npmjs.org/osxh/-/osxh-0.1.2.tgz"},"_npmVersion":"1.1.70","_npmUser":{"name":"phihag","email":"phihag@phihag.de"},"maintainers":[{"name":"phihag","email":"phihag@phihag.de"}]}},"readme":"Obviously Safe XHTML\n====================\n\nOSXH is an XHTML dialect that's obviously safe to include in a website. It is intended to represent a user-formatted document, similar to [markdown](http://daringfireball.net/projects/markdown/). However, unlike markdown, OSXH is easy to extend with custom attributes (for example `data-example`).\n\nIn contrast to [Caja](https://github.com/theSmaw/Caja-HTML-Sanitizer) or [IE's toStaticHTML](http://msdn.microsoft.com/en-us/library/ie/cc848922.aspx), OSXH comes with an explicit specification of which code is valid. This means that the result is *reproducible*. Additionally, the result can always be rendered without downloading anything (this prevents [web bugs](http://en.wikipedia.org/wiki/Web_bug)).\n\nThe [numerous ways to defeat blacklists](http://ha.ckers.org/xss.html) do not apply since OSXH uses a white-list approach. OSXH and its implementations shouldn't only be safe, it should be obvious that they are.\n\nUsage (JavaScript)\n==================\n\nTo get an osxh object, simply call osxh with the desired configuration:\n\n    var osxhi = osxh({allowCSS: true});\n\nAlso, get a container element you want to render into:\n\n    var container = document.getElementById(\"container\");\n\nYou may want to style the container element in order to prevent user-supplied code from escaping it, like this:\n\n    #container {\n    \tposition: absolute;\n    \twidth: 80%;\n    \theight: 100px;\n    \toverflow: auto;\n\t}\n\nThen, render the unsafe `osxh_code` like this:\n\n\tvar osxh_code = \"<osxh><a href=\"javascript:alert('XSS');\">click here</a></osxh>\";\n    osxhi.renderInto(osxh_code, container);\n\nIf you want to generate osxh code yourself, call `serialize`:\n\n\tvar osxh_code = osxhi.serialize(container.childNodes);\n\nSpecification\n=============\n\nOSXH is an application of [XML](http://www.w3.org/TR/REC-xml/), with the following restrictions:\n\n* The root element must have the tag name `osxh`.\n* By default, all other elements must be one of `a`, `b`, `br`, `code`, `div`, `em`, `h1`, `h2`, `h3`, `h4`, `h5`, `h6`, `i`, `img`, `li`, `ol`, `p`, `span`, `strong`, `table`, `tbody`, `td`, `tfoot`, `th`, `thead`, `tr`, `u`, `ul`.\n* Attributes must be one of:\n    + `href` (only on `a`) may contain URLs starting with `http://`, `https://`, or `mailto:`.\n    + `src` (only on `img`) must start with either `data:image/gif;`, `data:image/jpeg;`, or `data:image/png;`.\n    + `alt` is allowed on `img`.\n    + `colspan` and `rowspan` are allowed on table cells, with integer values only.\n    + `title` is allowed everywhere.\n    + `class` attributes that contain a space-separated list of classes starting with `osxh_` are allowed. In particular, the following classes are suggested:\n        - `osxh_pre` for preformatted blocks of code (typical CSS: `white-space:pre`)\n        - `osxh_invisible` for temporarily invisible text, for example in a slide of a presentation (typical CSS: `visibility: hidden;`)\n    + `style` (only if the configuration includes `\"useCSS\": true`) may contain certain css declarations (see below)\n\n* XML nodes that are not elements, attributes or text nodes are ignored.\n\nStyles\n------\n\nIf `useCSS` is set in the configuration, osxh allows some CSS declarations. You should make sure to render only into a properly sandboxed container element, with `position` set to one of `absolute`, `relative`, or `fixed`, a fixed width/height, and `overflow` set to `auto`, `hidden` or `scroll`.\n\nIn any case, OSXH allows the following CSS properties:\n\n* `position` can be one of `absolute`, `relative`, `static`.\n* `left`, `right`, `top`, `bottom`, `width`, `height` can be any `auto`, a percent value (like `20%`), or another [length](http://www.w3.org/TR/css3-values/#lengths) (minus lengths relative to the original viewport).\n","maintainers":[{"name":"phihag","email":"phihag@phihag.de"}],"time":{"modified":"2013-01-21T02:37:09.022Z","created":"2013-01-08T15:20:23.059Z","0.1.0":"2013-01-08T15:20:24.994Z","0.1.1":"2013-01-21T00:26:52.602Z","0.1.2":"2013-01-21T02:37:09.022Z"},"author":{"name":"Philipp Hagemeister","email":"phihag@phihag.de"},"repository":{"type":"git","url":"https://github.com/nodejitsu/http-server.git"}}