Brettle Development

Home | Search | Register | Log In

NeatHtml™ News

NeatHtml-trunk.221 released

Friday March 27 2009 04:14 PM

Download the latest development snapshot which adds support for Internet Explorer Mobile 6.

Feedback( 0)

Statistics
Entries (9)
Comments (10)

Archives

March, 2009 (1)

February, 2009 (1)

January, 2009 (1)

June, 2008 (1)

May, 2008 (2)

February, 2008 (1)

September, 2007 (1)

August, 2006 (1)

About NeatHtml™

NeatHtml™ is a highly-portable open source website component that displays untrusted content securely, efficiently, and accessibly. Untrusted content is any content that is not trusted by the website owner. Typical examples include blog comments, forum posts, or user pages on social networking sites. NeatHtml uses an “accept only known good” (whitelist) approach to security to help prevent attacks which are not yet known. It focuses on preventing Cross-Site Scripting (XSS) attacks but can also prevent phishing attacks and remove automated Cross-Site Request Forgery (CSRF) attacks. In this context, phishing attacks are attacks which try to display untrusted content where the user would trust it, and automated CSRF attacks are CSRF attacks that do not require any user action beyond viewing the untrusted content.

NeatHtml consists of the NeatHtml.js JavaScript library and a small server-side component. NeatHtml.js should work with any browser that supports both JavaScript 1.3 and a few DOM APIs. It has been tested against Internet Explorer 6 thru 8, Firefox 1.5 thru 3.0, Opera 9, Netscape 7 thru 9, Safari 1.2 thru 3.2, Konqueror 3.4 thru 3.5, Camino 1.5, and Internet Explorer Mobile 6. The server-side component is approximately 400 lines of ASP.NET code. It runs under Mono, .NET 1.1, and .NET 2.0, but should be easy to port to other web development platforms (e.g. Java or PHP). To facilitate porting and testing, NeatHtml includes a JavaScript test framework and a demo page which uses the test framework and demonstrates the capabilities of NeatHtml. NeatHtml is licensed under the Lesser General Public License (LGPL), a business-friendly open source license.

NeatHtml is currently available for download as a mature development snapshot. It primarily needs independent testing, and minor security fixes before an official release. Bug reports, feature requests, questions, comments, and other contributions are welcome.

Features

Uses a whitelist approach to help prevent attacks that take advantage of currently unknown security holes.
XSS prevention is done using client-side script to reduce the load on the server.
Allows many common HTML constructs, including most inline styles.
Integrates easily with existing applications.
Works under Mono, .NET 1.1, and .NET 2.0, and can be easily ported to other development platforms.
Licensed under the Lesser General Public License (LGPL), a business-friendly open source license. See below for details.

Demo

Check out the live demo!

Download

NeatHtml-trunk.221.zip is the most recent development snapshot. It includes both source and precompiled binaries.

The latest code is always available from the git repository. You can browse it with your web browser or use a git client with a command like this:

git clone git://github.com/brettle/NeatHtml.git

Documentation

Please read the NeatHtml Manual for step-by-step installation and usage instructions.

A whitepaper is available those interested in the techniques used by NeatHtml.

Support

If you are having problems getting NeatHtml to work, please post to the Support forum. If you are confident you've found a bug, please post it to the Bugs forum. If you have a feature request, please post it to the Features forum.

If you are interested in paying for specific improvements to NeatHtml or paying to have it adapted it to your needs, please contact me. Alternatively, if you would like to support my work on NeatHtml and other open source software more generally, consider sending me money. I also greatly appreciate non-monetary contributions such as patches or comments about your experiences using NeatHtml

Credits

NeatHtml would not have been possible without the support I received from many people. A special thanks to:

Stefano Di Paola's for his work on Preventing XSS with Data Binding, which inspired me to use client-side script for XSS prevention.
RSnake for his XSS Cheat Sheet which helped me understand what NeatHtml was up against.
Joe Audette for being the first to use NeatHtml by including it in his awesome mojoPortal.
the developers of Mono for providing an open source .NET-compatible platform on which to develop NeatHtml.
my wife, Jennifer, and our kids, Julia and Joshua, for letting me have a lot of "peace and quiet" to work on NeatHtml.

License

NeatHtml is Copyright (C) 2006 Dean Brettle and is licensed under the Lesser General Public License (LGPL). That means that it is possible to link it into applications that are released under most other licenses, including proprietary licenses. What follows is my interpretation of the LGPL as it applies to NeatHtml. I am not a lawyer, and if anything below contradicts the LGPL, the LGPL takes precedence.

There are 3 types of use: use on your own web site, distributing an application which includes an unmodified NeatHtml dll, and distributing exes and dlls which include code derived from NeatHtml.

If you are just using NeatHtml for your own personal or commercial site, but you aren't distributing it, you don't need to do anything. Of course an acknowledgment or link back to the NeatHtml home page is always appreciated.

If you are distributing an app that includes the NeatHtml assembly built from unmodified source code and the app does not otherwise include code derived from NeatHtml, the easiest way to comply with the LGPL is to:

Include a copy of the NeatHtml release zip file you are using. The zip file includes the source code for NeatHtml.
Give prominent notice with each copy of the app (a) that NeatHtml is used in it, and (b) where to find the release zip file you included. For example, you could include the following just before your own license text:

This application uses NeatHtml which is covered by the Lesser General Public License. The source code for NeatHtml is included in the following location: ...

If you are distributing an app that includes an exe or dll containing code derived from NeatHtml, the easiest way to comply with the LGPL is to:

Avoid introducing dependencies on proprietary code. For example, do not modify NeatHtml such that it references an assembly in your proprietary app.
Add a prominent notice to the files you modify stating that you changed the files and the date of the change.
Include the complete source code for the dll or exe, licensed under the terms of the LGPL. NOTE: Although I certainly appreciate being notified of any modifications, from a license compliance perspective, you are responsible for providing the modified source to your customer.
Give prominent notice with each copy of the app (a) that a derivative of NeatHtml is used in it, and (b) where to find the included source code. For example, you could include the following just before your own license text:

This application uses assemblies that include code from NeatHtml which is covered by the Lesser General Public License. The source code for those assemblies is included in the following location: ...

If you have any licensing questions, just post them to the Support forum. If you are unable to use NeatHtml because of it's license, please let me know. We might be able to work something out.