Tutorial: HTML Sanitizing and Parsing

Post Header

Published:

2010-11-12 04:11:40 UTC

Tags:

Along with the upgrade to Rails 3, there have been significant changes and improvements to our HTML sanitizing and parsing in Release 0.8.2. These changes should make things clearer for authors and much faster for readers!

Here is a quick breakdown for those who just want the highlights, followed by a more detailed explanation of what was changed and how it all works.

Highlights

Blank lines and carriage returns will now be converted to paragraph () and line-break ( ) tags in the text editor.

The text will automatically be parsed and "cleaned up" -- any tags that were left open get closed, any mis-nested tags get fixed, etc.

The text will be sanitized, to remove any elements that are potentially harmful to our server.

This change fixes the known bug where switching from HTML mode to Rich Text mode causes all your paragraphs to disappear. (Yay!)

This change will also allow users to embed video from: youtube, vimeo, blip.tv, dailymotion, viddler, metacafe, and 4shared. (Yay!)

What's Behind the Scenes

The new back end for content works in three steps.

There is now a paragraph-adder that converts blank lines and carriage returns into paragraph tags () and break tags ( ) based on a few simple rules:

A blank line left between two pieces of text will be made separate paragraphs:

Here is paragraph one.

Here is paragraph two.

will become:

Here is paragraph one.

Here is paragraph two.

A carriage return or newline in the middle of text will add a break tag:

Here is a line
with a carriage return in the middle.

will become:

Here is a line 
with a carriage return in the middle.

We also will preserve extra blank lines -- if you have TWO blank lines in a row, we will add in an empty paragraph:

Here is paragraph one, and I want extra space after it.

Here is paragraph two.

will become:

Here is paragraph one, and I want extra space after it.

Here is paragraph two.

Note: The paragraph-adder will put tags at the end of each line whenever there is a carriage return, even in things like lists. So, if you have a nice chunk of HTML in your story that you coded up by hand like this:

You can avoid having tags added by putting the list into a single line with no carriage returns instead:

The next step is a Ruby on Rails gem (basically a kind of plugin) called Nokogiri, which parses the text and gives it back to us as a well-formed chunk of XHTML. What this means among other things is that:

any tags that were left open get closed

any mis-nested tags get fixed (eg, if you do foo! Nokogiri will turn that into the correct version (Foo!)

any attribute values that aren't properly in quotes get fixed

Finally, we use the gem Sanitize to clean up this XHTML and take out anything that is legal but not necessarily safe. Sanitize uses a whitelist, meaning that only the tags and attributes we specifically tell it are allowed are let through. It's very customizable, and we have been able to write special rules for Sanitize to safely allow embeds of videos from specific sites (currently: youtube, vimeo, blip.tv, dailymotion, viddler, metacafe and 4shared.) Once Sanitize is done, the final version is saved into the database.

There is lots of documentation available on Nokogiri and Sanitize on their respective sites.

What you see when editing

If you are working in a field (like content in the Post New Work form) that allows you to use the Rich Text Editor, the tags and will show, because otherwise if you switch to the Rich Text Editor, it will do that horrible thing where your whitespace disappears and your text all runs together into one giant blob!
If you manually put in some tags that had extra attributes on them, like "", the tags will show.
The and tags will not show when you edit fields like notes and summary, however, where there is no option to use the Rich Text Editor.

Here's an example of how the tags will look on content in the Post New Work form:

Actions

Comments

Sorry, this news post doesn't allow comments.

Pages Navigation

samjohnsson Sat 13 Nov 2010 10:31AM UTC

Finally, we use the gem Sanitize to clean up this XHTML and take out anything that is legal but not necessarily safe.
Are we to assume that the list:
a, abbr, acronym, address, [alt], b, big, blockquote, br, caption, center, cite, [class], code, col, colgroup, datetime, dd, del, dfn, div, dl, dt, em, h1, h2, h3, h4, h5, h6, [height], hr, [href], i, img, ins, kbd, li, name, ol, p, pre, q, samp, small, span, [src], strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, [title], tr, tt, u, ul, var, [width]
is still up to date? Also, what's the code string to embed video?

Comment Actions
- Thread
1. admin-franny (Guest) Sat 13 Nov 2010 11:30AM UTC
  
  Yep, the list of allowed html is still up-to-date, with the exception of the embed code. And the code string to embed video is just whatever those allowed sites offer you as a copy & paste for embed - the exact code is always quite long and complex, so we haven't figured out a succinct way to put it into the allowed list yet.
  Zooey, AD&T Chair
  
  Comment Actions
  - Thread
  - Parent Thread
A (mumblemutter) Sun 21 Nov 2010 10:07AM UTC

Hmm, I started going through everything I uploaded to fix stuff that now looks wonky and I've already run into a snag. I tried to put in the empty paragraph tags for extra space, but it still only created one blank line on preview. More carriage returns didn't work either. I actually had to put " [ampersand]nbsp[semicolon] " for it to take, and I don't know how many people would know to try that. Is there any other way?

Last Edited Sun 21 Nov 2010 10:10AM UTC

Comment Actions
- Thread
mirabilos (Guest) Sat 05 Mar 2011 01:26AM UTC

Note that some browsers cannot submit lines
larger than some amount of length.
For people who know XHTML, automatic
addition of the br and p tags should be
omitted optionally. For example, I usually
format my things like this (using double
instead of single angle brackets here):
«p»This is a sample paragraph. I do a
line break here.«/p»
«p»This may be the next paragraph.«/p»
«p»This may be another paragraph with
some more semantic distance to the other
two.«/p»

Comment Actions
- Thread
mirabilos (Guest) Sat 05 Mar 2011 01:27AM UTC

Another thing, while I see what your system
makes out of my comment: two or more br
tags in a row are COLLAPSED INTO A SINGLE
br tag, i.e. you CANNOT do the “one line
distance” trick with «br/»«br/» (in a
conforming browser). You really ought to
convert to either «p»…«/p» instead then.

Comment Actions
- Thread
mirabilos (Guest) Sat 05 Mar 2011 01:29AM UTC

Ah well, /p + br/ + p doesn’t seem to
work either, there is simply no newline:
«p»This may be the next paragraph.«/p»
«p»This may be another paragraph with
This is the latest Lynx development version, btw.

Comment Actions
- Thread
1. Zooey_Glass Sat 05 Mar 2011 08:58AM UTC
  
  Hi there!
  Thanks for your feedback! The parser is definitely not where we want it to be, especially with regard to line breaks and paragraphs. We're looking for someone with high-level knowledge on HTML parsing - if this is you (or you know that person) then we always welcome volunteers!
  Zooey, AD&T
  
  Comment Actions
  - Thread
  - Parent Thread
mirabilos Sat 05 Mar 2011 06:52PM UTC

I have some knowledge of HTML and XHTML
up to XHTML/1.1 (I refuse to acknowledge
both XHTML 2 and HTML 5 / XHTML 5 ;-)
but absolutely none of either Ruby or
Ruby on Rails (one time I looked into a
RoR application and searched for the actual
source code, yet found none).
I am, however, a Lynx contributor (only
occasionally) and heavy Lynx user.
If you feel I can help, please feel free
to send me eMails. I’m also willing to
test experimental changes and things like
that, offer opinions, etc.
Lynx does have an active mailing list,
reachable under [email protected] or
http://lists.nongnu.org/mailman/listinfo/lynx-dev
where you can also participate if you want.
For what it’s worth, I can confirm that Lynx
forcibly wraps “very long” lines, the MAX_LINE
constant is currently defined to 1024.
That all said, I registered today, and
save for uploading profile information and
a logo, everything worked with Lynx (for
the logo, I switched to Opera 9.27 on Linux,
and it appears to have worked as well).
I’ve put up bookmarks and will publish the
one (side-)story I wrote soonish as well.
Great job so far!

Comment Actions
- Thread
1. Cesy Fri 05 Aug 2011 11:07AM UTC
  
  We would love to have you as a tester. If you can fill in your name and email at this Volunteers form and say you're interested in testing, someone will add you to the right mailing list.
  Thanks!
  Cesy, AD&T committee member
  
  Comment Actions
  - Thread
  - Parent Thread
AMHC Thu 31 May 2012 10:01AM UTC

Hello! :)
Is there a way to use colours and different fonts coding? House of Leaves fanfic authors would appreciate it :)
Thank you!
AM

Comment Actions
- Thread
1. AMHC Thu 31 May 2012 10:04AM UTC
  
  Nevermind, I just realised how! :D
  
  Comment Actions
  - Thread
  - Parent Thread
2. 1. LucyP Thu 31 May 2012 02:37PM UTC
    
    Hurray, glad you figured it out! Just in case anyone else sees this and wonders - you can style works by using work skins - see our tutorial on styling works.
    Lucy
    AO3 Support
    
    Comment Actions
    - Thread
    - Parent Thread
walking_tornado Sun 16 Jun 2013 12:24PM UTC

I'm new to HTML, and I can't locate how to indent the first line of paragraphs. I found a site that said just to code in several spaces, and I wondered if you had a better way of doing it.

Comment Actions
- Thread
1. AO3_Support (Official) Sun 16 Jun 2013 06:17PM UTC
  
  Hi, walking_tornado,
  You can indent the first lines of your paragraphs using a Work Skin. To do so:
  1) Go to your Skins page from the link in your Dashboard
  2) Click the “Work Skins” button
  3) Choose “Create Skin”
  4) In the “Create New Archive Skin” form, change the popup menu beside “Type” to “Work Skin” (very important)
  5) In the “Title” box, enter a title that is meaningful to you (for example, “Indentation”)
  6) If you like, in the “Description” box you can enter a description of what the skin does
  7) In the large box labeled “CSS”, enter:
  #workskin P { text-indent: 3em; margin: 0 auto; }
  7A) If you'd like to indent your paragraphs but still have blank lines between them, instead enter:
  #workskin P { text-indent: 3em; }
  8) Click the “Submit” button at the bottom of the form.
  Now when you post or edit a work, if you choose your work skin from the dropdown next to "Custom Stylesheet" (at the bottom of the Associations section) you'll get paragraphs with the first line indented.
  If you have any questions about the above instructions, please contact Support from the link in the Archive footer.
  Best,
  Lady Oscar
  AO3 Support
  
  Comment Actions
  - Thread
  - Parent Thread
2. 1. Musicfight23 Sat 21 May 2016 07:44PM UTC
    
    I needed this. Thank you!
    
    Comment Actions
    - Thread
    - Parent Thread
  2. theLadyLazaruss Tue 18 Apr 2017 12:59PM UTC
    
    Oh. My. Goodness.
    I know absolutely ziltch about CSS and programming and all of that intricate computer stuff that I know I should really know for my age, but I've been rifling through the internet attempting to make some sort of sense out of paragraphs of code.
    Thank you. So much simpler, and so much easier.
    
    Comment Actions
    - Thread
    - Parent Thread
  3. ChekhovsRazor Thu 01 Mar 2018 01:54AM UTC
    
    Those instructions indent the summary and notes as well. Might I suggest instead using:
    #workskin #chapters div.userstuff p { text-indent: 3em; margin: 0 auto; }
    or
    #workskin #chapters div.userstuff p { text-indent: 3em; }
    This will only indent the actual chapter paragraphs and avoid indenting the summary and notes.
    
    Last Edited Thu 01 Mar 2018 01:56AM UTC
    
    Comment Actions
    - Thread
    - Parent Thread
  4. 1. Account Deleted Tue 22 Feb 2022 04:15PM UTC
      
      Hello, I was looking for instructions like this and I found this old post! Thank you very much!
      I have bad eyesight, so typical web format with justified-left and inter-paragraph spaces being tight is rather hard for me to follow when I'm reading on Desktop. Again, thank you very much!!
      
      Comment Actions
      - Thread
      - Parent Thread
    2. 1. ChekhovsRazor Thu 03 Mar 2022 05:21PM UTC
        
        No problem, glad this could help. :)
        
        Comment Actions
        
        Thread
        
        Parent Thread
  5. Emily_Writes_Things Sun 04 Mar 2018 05:19AM UTC
    
    Oml Thank you so much! I was very sad because I couldn't get the indent! Thank you, you are life savers
    
    Comment Actions
    - Thread
    - Parent Thread
smallbrownfrog Mon 12 Aug 2013 06:38PM UTC

If "A carriage return or newline in the middle of text will add a break tag," does that mean I have to enter an entire table on one line?? I have a meta thingy that is formatted as a table and I don't see how I could enter it as one line of code.
(Plus, even if I could cram the whole big table on one line, that would make it one hard-to-edit mess.)
How would you recommend formatting a big table on AO3?

Last Edited Mon 12 Aug 2013 06:43PM UTC

Comment Actions
- Thread
1. AO3_Support (Official) Tue 13 Aug 2013 04:54PM UTC
  
  Hi, 'frog:
  Thanks for asking about using tables on the Archive. This tutorial is a bit out of date, though we do have a team working on updating it. The parser has been adjusted such that you can use tables without it inserting blank lines. I do want to note that the default skin for the Archive puts a margin value on any P that you may want to modify using a work skin.
  If the table doesn't work correctly, please contact Support with the HTML you're using and we'll take a look!
  Best,
  Sam J.
  AO3 Support
  
  Comment Actions
  - Thread
  - Parent Thread
2. 1. smallbrownfrog Tue 13 Aug 2013 06:29PM UTC
    
    Thank you for your reply. I'm glad to hear that the parser has been updated to handle tables better. Thanks also for the heads up about margins. I'll keep that in mind.
    
    Comment Actions
    - Thread
    - Parent Thread
Daniel (Guest) Tue 29 Jul 2014 11:01AM UTC

Is there any chance you can add some more tags to the allowed list? The header, footer, article, section, aside, figure, figcaption, time, mark, and ruby (and rt, rp, and rb) elements all seem safe, and several of them seem useful for this site. For example, the section and header tags (along with CSS) could be used with the existing h1 through h6 tags for some useful results, and the uses of the figure and figcaption elements should be readily apparent.

Comment Actions
- Thread
1. Daniel (Guest) Wed 30 Jul 2014 05:09AM UTC
  
  I realized that this is a several-year-old article and probably nobody looks at the comments section; I asked my question using the official feedback form.
  I would be happy to submit a pull request, but that wouldn't help with the main issue of actually verifying everything is safe.
  
  Comment Actions
  - Thread
  - Parent Thread
2. AO3_Support (Official) Wed 30 Jul 2014 07:13PM UTC
  
  Hi, Daniel!
  We do get notified of comments on admin posts, even the very ones!
  We do have plans to eventually support HTML5 tags once we switch the doctype on the Archive to the HTML5 validation schema. I know several of our front-end volunteers would love the chance to re-structure several of the page templates. However, our pages are currently validated using a XHTML 1.0 Strict schema. Allowing the newer tags would break the validation, which can occasionally cause some browsers to present security errors. Additionally, these newer tags are non-functional without some javascript chicanery in a number of the browsers our visitors use to access the site. As soon as we switch to HTML5, we'll revise the tags in the sanitized list.
  We do welcome pull requests to the project, but this one would likely not get accepted for a while. If you have specific questions about coding and design, you can contact us either the Support form or using the information in the wiki section on github!
  Best,
  Sam J.
  AO3 Support
  
  Comment Actions
  - Thread
  - Parent Thread
TheMadScribe Wed 30 Jul 2014 03:17AM UTC

How can I make an indent appear at the beginning of my paragraphs?

Comment Actions
- Thread
1. Daniel (Guest) Wed 30 Jul 2014 03:25AM UTC
  
  HTML is only for saying "this is a paragraph", not "paragraphs should have an indent at the beginning". For that, you want CSS. For indentation specifically, see this comment on this same post. For more CSS information, see this tutorial.
  
  Comment Actions
  - Thread
  - Parent Thread
2. 1. TheMadScribe Wed 30 Jul 2014 04:25AM UTC
    
    Oh, so that's why what I tried didn't work...
    For the daughter of a computer programmer, I know very little about code.
    Thank you :)
    
    Comment Actions
    - Thread
    - Parent Thread
3. AO3_Support (Official) Wed 30 Jul 2014 07:20PM UTC
  
  Hi, Melony!
  Daniel already linked you to the proper method, in that it creates a solution that is relative to the font size and generally friendly to all accessibility tools. Another option is to force the spacing using non-breaking spaces by entering at the beginning of each paragraph:
      
  You can repeat it more or fewer times, depending on the width of the tab you want. We do encourage, however, the CSS solution. If you have any questions, you can always submit a Support ticket!
  Best,
  Sam J.
  AO3 Support
  edit: because English sentences need verbs.
  
  Last Edited Wed 30 Jul 2014 07:23PM UTC
  
  Comment Actions
  - Thread
  - Parent Thread
Humberto (Guest) Mon 11 Aug 2014 02:13PM UTC

It's not my first time to pay a visit this site, i am browsing this web page dailly and obtain good facts from here daily.

Comment Actions
- Thread
starzinoureyes Sat 16 Aug 2014 06:31PM UTC

this may be a dumb question, but how do you turn text into a link to another site? if than makes any sense....

Comment Actions
- Thread
1. alanalytical Fri 05 May 2017 08:20PM UTC
  
  Rich text has an "insert link" option
  
  Comment Actions
  - Thread
  - Parent Thread
TheAnderfelsOne Sat 30 May 2015 02:08PM UTC

hello! Can someone please tell me how to add an image to the work? I try the img html but it doesn't work.
Thank you.

Last Edited Sat 30 May 2015 02:08PM UTC

Comment Actions
- Thread
1. AO3_Support (Official) Tue 23 Jun 2015 12:44PM UTC
 
 Hi there!
 The img tag should work, but the HTML parser might be eating it if it's improperly formatted or broken. One thing to check is that the quote marks must be straight quotes "" and not curly quotes ("smart" quote marks).
 If that doesn't help and you're still experiencing issues, can you contact us using the Support form with more details? The form's parser will eat any example html, but if you avoid including the < and > symbols, everything else should come through.
 Apologies for the inconvenience in the meantime!
 Best,
 hele
 AO3 Support
 
 Comment Actions
 - Thread
 - Parent Thread
2. 1. TheAnderfelsOne Tue 23 Jun 2015 06:48PM UTC
 
 Thank you for the help! How about a video please?
 
 Comment Actions
 - Thread
 - Parent Thread
 2. 1. AO3_Support (Official) Tue 23 Jun 2015 10:03PM UTC
 
 No problem! As with static images, the Archive doesn't have a way to host video. Check out our post about multimedia embedding in the Archive. You can see valid sites and tags there. If you run into any problems, please don't hesitate to contact us using the Support form!
 Best,
 hele
 AO3 Support
 
 Comment Actions
 - Thread
 - Parent Thread
 2. 1. TheAnderfelsOne Fri 26 Jun 2015 04:46PM UTC
 
 From what I understood, it would work if I put tje url of the video between iframe and /iframe ?
 
 Comment Actions
 
 Thread
 
 Parent Thread
 2. Sam of Support (AO3_Support) (Official) Wed 01 Jul 2015 12:39AM UTC
 
 Hi again, TheAnderfelsOne:
 You would need the full embed code from the hosting site listed in the iframe: most sites make this easily available in a Share button or similar. The video does have to be hosted at one of the "whitelisted" (permitted) sites listed at the multimedia post; if it's not, the HTML sanitizer will strip out the code. If you have any questions about a specific site, please contact Support!
 Best,
 Sam J.
 AO3 Support
 
 Comment Actions
 
 Thread
 
 Parent Thread
 
 TheAnderfelsOne Sun 05 Jul 2015 11:21PM UTC
 
 Oh I just think about youtube. So I guess it shouldn't be a problem then? just put the url between the html code iframe then.
 
 Comment Actions
 
 Thread
 
 Parent Thread
 
 Sam of Support (AO3_Support) (Official) Mon 06 Jul 2015 12:13PM UTC
 
 Hi again:
 For YouTube, you'll want to browse to the video's page, click on the Share button, click on Embed, and copy everything in the box that appears, not just the URL. If you have any questions, let us know!
 Best,
 Sam J.
 AO3 Support
 
 Comment Actions
 
 Thread
 
 Parent Thread
ShilohHemingway Mon 03 Aug 2015 01:07AM UTC

I wish you would put examples of what the text actually looks like after you enter the HTML characters.

Comment Actions
- Thread
CodenameCarrot Tue 23 Feb 2016 03:28AM UTC

The image at the bottom is missing; does sanitize strip out the html entities corresponding to emoji? When I try to use them, my fic is truncated after the attempted (but not supported?) character.
I've sent this to support, but was double-checking if this was a known bug or formatting issue with workarounds.

Comment Actions
- Thread

AO3 News