Question 1

How does bluemonday compare to HTML Purifier?

Accepted Answer

bluemonday is faster and written in Go, focusing on allowlist-based security with minimal dependencies, while HTML Purifier is PHP-based and offers more built-in features like CSS sanitization and HTML repair. bluemonday is better for Go projects prioritizing performance and simplicity.

Question 2

How to allow specific CSS styles in bluemonday?

Accepted Answer

Use the AllowStyles method with MatchingEnum or regex; for example, to allow the 'color' property with hex values, define p.AllowStyles('color').Matching(regexp.MustCompile('^#([0-9a-f]{3,6})$')).Globally(). Always validate carefully to avoid XSS risks.

Question 3

Is bluemonday safe for production use?

Accepted Answer

Yes, it's production-ready and migrated from the OWASP Java HTML Sanitizer, with an extensive test suite including AntiSamy tests. However, ensure policies are correctly configured, as missteps can leave security gaps.

Question 4

Can bluemonday handle SVG elements safely?

Accepted Answer

Yes, but it requires explicit policy configuration since SVG is not included in default policies. You must allow SVG elements and attributes manually, and be cautious of scriptable content that could introduce XSS vectors.

Question 5

What happens if I feed bluemonday badly formatted HTML?

Accepted Answer

It follows GIGO and may produce broken output, as it doesn't repair HTML structure. For instance, unclosed tags or incorrect nesting will pass through unsanitized, potentially bypassing some safety checks.

Question 6

How to add nofollow to all links in bluemonday?

Accepted Answer

Use p.RequireNoFollowOnLinks(true) in your policy, which automatically adds rel='nofollow' to valid href attributes on 'a', 'area', and 'link' elements, as described in the link safety features section.

bluemonday

What is bluemonday?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions