Show HN: HtmlWasher – An HTML cleanup tool (opens in new tab)

The washer makes an XHR to /ajax/paste to do the 'washing'.

Seems like this could be done in JavaScript without an XHR, and not send your info to them.

However, https://www.htmlwasher.com/privacy/:

"The Operator may collect the personal data, such as, without limitation, (i) name; (ii) age; (iii) sex; (iv) address; (v) homepage URL address; (vi) telephone number; (vii) email address; (viii) bank account number; as well as (ix) any information relating and relevant to the Services, including, without limitation, opening and administering the Account, or getting feedback for improving the Services."

" In the event that the Operator is involved in a bankruptcy, merger, acquisition, reorganization or sale of assets, your personal data may be sold or transferred as part of that transaction."

Pandoc can do this:

  cat tea-dance.html | pandoc --from=html --to=markdown | pandoc --from=markdown --to=html

I learned that from vimcasts.org: http://vimcasts.org/episodes/using-external-filter-commands-...

of this matter I really like https://github.com/mozilla/bleach .

is your project any different aside from the "service oriented" nature? (also I don't see any usage method, if not from the browser)

from experience, I wouldn't recommend other than context-aware safe templating systems for html safety in this day and age.

to an even greater extent than templating systems, sanitization systems of this type need to be built by an expert and align perfectly with how browsers parse tags, which is no small feat.

to give more concrete examples, from a few minutes of testing:

<a href="javascript://%0Aalert`xss`">1</a> <- xss on click

<img src=javascript:alert(2)> <- XSS in Opera Mobile, Opera 10, early versions of IE

<img src="/logout"> <- csrf which affects nearly everything built without security knowhow

This is brilliant!

I wrote an HTML file in Microsoft Word. Then uploaded that .html file which had 800 lines. HtmlWasher cleaned up all the file content, the endless meta tags, non sense IE style tags, etc.

This would be really useful as a service. Send a glob of html to their endpoint, and return what this site does (the cleaned/washed html). As a service, it could be more efficient than doing 1 file at a time on their site. Or better yet, it would be awesome to open source the way this cleans the html. Regardless, awesome site. I could see the use for various scenarios.

Reminds me of a cleaner tool I wrote about 10+ years ago, a huge single God-class which would parse an HTML string, allowed me to do various transformations on the object tree, and rerendered the entire source code in correct and nicely indented XHTML. Back then I had unused server capacity, so I often used it to do compression of dynamically rendered pages from for example message boards. Also allowed me to place a badge bragging about my 100% W3C validator score, since the original software packages often did not produce such clean HTML. :p The code is actually still being run on every pageload for some old sites I never updated much since.

It has a tiny little webinterface a which remains online today on some underpowered server. Doesn't work well with anything except XHTML though. http://htmlcleaner.blackholestudios.nl/

If you're serious about HTML checking and cleanup consider using SGML and my (inofficial) HTML 5.1 DTD [1].

It doesn't do magic (like indentation or removing/simplifying CSS) if that's what you're after, but it gives you straightforward capabilities to filter out script elements, check/suppress event handler attributes and other places where JavaScript can occur maliciously in HTML, enforce presence of HTML elements, etc. Since it's entirely driven by an SGML DTD grammar for HTML it can be customized to death really (for context-dependent filtering, injection prevention, whatever).

[1]: http://sgmljs.net/blog/blog1701.html

"Reduces a HTML document (or fragment) to basic HTML tags and attributes" - meaning what exactly? What counts as a basic attribute?

This should be a library or an API, otherwise I don't really see a use for this. Also seems overly aggressive, and there should be some options on what to keep. I see a need to remove JavaScript from HTML but keep events for example.

Here is one in C, with flex-generated lexing, for back-end use:

http://www.kylheku.com/cgit/hc/tree/

I used this for allowing HTML in a mailing list e-mails to be incorporated into the web archive. (The archiver is a modified version of Lurker.)

P.S. "wl" stands for "whitelist": what elements are allowed to pass through, and of those, which attributes are allowed to pass through. The condensed "wl" config file is translated into compiled-in static tables by the wl.txr script. No run-time config.

What is the use case for this?

This doesn't appear to use a spec-compliant HTML parser as the first step of the processing. Any tool of this nature created this day and age really should.

But.. why?