Project Description

NeatHtml™ is a highly-portable open source website component that displays untrusted content securely, efficiently, and accessibly. Untrusted content is any content that is not trusted by the website owner (e.g. blog comments, forum posts, or user pages on social networks).

NeatHtml uses an “accept only known good” (whitelist) approach to security to help prevent attacks which are not yet known. It focuses on preventing Cross-Site Scripting (XSS) attacks but can also prevent phishing attacks and remove automated Cross-Site Request Forgery (CSRF) attacks. In this context, phishing attacks are attacks which try to display untrusted content where the user would trust it, and automated CSRF attacks are CSRF attacks that do not require any user action beyond viewing the untrusted content.

NeatHtml consists of the NeatHtml.js JavaScript library and a small server-side component. NeatHtml.js should work with any browser that supports both JavaScript 1.3 and a few DOM APIs. It has been tested against Internet Explorer 6 thru 8, Firefox 1.5 thru 3.0, Opera 9, Netscape 7 thru 9, Safari 1.2 thru 3.2, Konqueror 3.4 thru 3.5, Camino 1.5, and Internet Explorer Mobile 6. The server-side component is approximately 400 lines of ASP.NET code. It runs under Mono, .NET 1.1, and .NET 2.0, but should be easy to port to other web development platforms (e.g. Java or PHP). To facilitate porting and testing, NeatHtml includes a JavaScript test framework and a demo page which uses the test framework and demonstrates the capabilities of NeatHtml. NeatHtml is licensed under the Lesser General Public License (LGPL), a business-friendly open source license.

Features

  • Uses a whitelist approach to help prevent attacks that take advantage of currently unknown security holes.
  • XSS prevention is done using client-side script to reduce the load on the server.
  • Allows many common HTML constructs, including most inline styles.
  • Integrates easily with existing applications.
  • Works under Mono, and .NET 1.1 or higher, and can be easily ported to other development platforms.
  • Licensed under the Lesser General Public License (LGPL), a business-friendly open source license. See below for details.

Credits

NeatHtml would not have been possible without the support I received from many people. A special thanks to:
  • Dean Brettle for doing all of the development, documentation, and support from the project's inception until mid-2010; and Dean's wife, Jennifer, and kids, Julia and Joshua, for letting him have a lot of "peace and quiet" to work on NeatHtml.
  • Joe Audette for for being the first to use NeatHtml by including it in his awesome mojoPortal. He also volunteered to become project coordinator when Dean moved on.
  • Stefano Di Paola for his work on Preventing XSS with Data Binding, which inspired me to use client-side script for XSS prevention.
  • RSnake for his XSS Cheat Sheet which helped me understand what NeatHtml was up against.
  • the developers of Mono for providing an open source .NET-compatible platform on which to develop NeatHtml.

How to Contribute

There is room for talented developer(s) to contribute to the maintenance of this project over time. Given that NeatHtml is a very mature component, there may not need to be lots of new features. Of course I am open to suggestions for other new features or improvements. My main goal will be to make sure the code in NeatHtml stays at the high quality level set by Dean Brettle, the original author.

The wonderful thing about our Mercurial source code repository is that it makes it easy for anyone to contribute. From our Source Code Page you can create a fork and make changes that you think are needed to fix a bug or add a feature. I will be able to review the changes in your fork and if they seem correct and appropriate, I can pull your changes into the repository. If you contribute high quality improvements over time and express an interest in helping me manage the repository and contributions of others, I am open to that once confidence and trust has been established.

If you want to suggest or implement new features, please post a proposal in the Discussions page, ideally before you begin working on it.

If you want to report a bug, please use the Issue Tracker and post it in terms of steps to produce the problem, expected results, actual results.

License

NeatHtml is Copyright (C) 2006 Dean Brettle and is licensed under the Lesser General Public License (LGPL). That means that it is possible to link it into applications that are released under most other licenses, including proprietary licenses. What follows is a layman's interpretation of the LGPL as it applies to NeatHtml. If anything below contradicts the LGPL, the LGPL takes precedence.

There are 3 types of use: use on your own web site, distributing an application which includes an unmodified NeatHtml dll, and distributing exes and dlls which include code derived from NeatHtml.

If you are just using NeatHtml for your own personal or commercial site, but you aren't distributing it, you don't need to do anything. Of course an acknowledgement or link back to the NeatHtml home page is always appreciated.

If you are distributing an app that includes the NeatHtml assembly built from unmodified source code and the app does not otherwise include code derived from NeatHtml, the easiest way to comply with the LGPL is to:
  1. Include a copy of the NeatHtml release zip file you are using. The zip file includes the source code for NeatHtml.
  2. Give prominent notice with each copy of the app (a) that NeatHtml is used in it, and (b) where to find the release zip file you included. For example, you could include the following just before your own license text:
This application uses NeatHtml which is covered by the Lesser General Public License. 
The source code for NeatHtml is included in the following location: ...


If you are distributing an app that includes an exe or dll containing code derived from NeatHtml, the easiest way to comply with the LGPL is to:
  1. Avoid introducing dependencies on proprietary code. For example, do not modify NeatHtml such that it references an assembly in your proprietary app.
  2. Add a prominent notice to the files you modify stating that you changed the files and the date of the change.
  3. Include the complete source code for the dll or exe, licensed under the terms of the LGPL. NOTE: Although I certainly appreciate being notified of any modifications, from a license compliance perspective, you are responsible for providing the modified source to your customer.
  4. Give prominent notice with each copy of the app (a) that a derivative of NeatHtml is used in it, and (b) where to find the included source code. For example, you could include the following just before your own license text:
This application uses assemblies that include code from NeatHtml which is covered by the Lesser General Public License.
The source code for those assemblies is included in the following location: ...

Last edited May 28, 2010 at 8:20 PM by DeanBrettle, version 2