Next: Introduction, Previous: (dir), Up: (dir) [Contents][Index]

The sanitize-html Reference Manual

This is the sanitize-html Reference Manual, version 0.1.0, generated automatically by Declt version 4.0 beta 2 "William Riker" on Fri May 15 11:59:21 2026 GMT+0.

Next: Systems, Previous: The sanitize-html Reference Manual, Up: The sanitize-html Reference Manual [Contents][Index]

1 Introduction

Next: Files, Previous: Introduction, Up: The sanitize-html Reference Manual [Contents][Index]

2 Systems

The main system appears first, followed by any subsystem dependency.

sanitize-html

Previous: Systems, Up: Systems [Contents][Index]

2.1 `sanitize-html`

OWASP-style HTML sanitization library for Common Lisp

Author

Anthony Green <green@moxielogic.com>

License

MIT

Version

0.1.0

Dependencies

plump (system).
lquery (system).
cl-ppcre (system).
alexandria (system).

Source

sanitize-html.asd.

Child Components

src/package.lisp (file).
src/policies.lisp (file).
src/sanitizer.lisp (file).

Next: Packages, Previous: Systems, Up: The sanitize-html Reference Manual [Contents][Index]

3 Files

Files are sorted by type and then listed depth-first from the systems components trees.

Lisp

Previous: Files, Up: Files [Contents][Index]

Next: sanitize-html/src/package.lisp, Previous: Lisp, Up: Lisp [Contents][Index]

3.1.1 `sanitize-html/sanitize-html.asd`

Source: sanitize-html.asd.
Parent Component: sanitize-html (system).
ASDF Systems: sanitize-html.

Next: sanitize-html/src/policies.lisp, Previous: sanitize-html/sanitize-html.asd, Up: Lisp [Contents][Index]

3.1.2 `sanitize-html/src/package.lisp`

Source: sanitize-html.asd.
Parent Component: sanitize-html (system).
Packages: sanitize-html.

Next: sanitize-html/src/sanitizer.lisp, Previous: sanitize-html/src/package.lisp, Up: Lisp [Contents][Index]

3.1.3 `sanitize-html/src/policies.lisp`

Dependency

src/package.lisp (file).

Source

sanitize-html.asd.

Parent Component

sanitize-html (system).

Public Interface

*default-policy* (special variable).
*email-policy* (special variable).
*strict-policy* (special variable).
make-policy (function).
policy-allowed-attributes (reader).
(setf policy-allowed-attributes) (writer).
policy-allowed-css-properties (reader).
(setf policy-allowed-css-properties) (writer).
policy-allowed-protocols (reader).
(setf policy-allowed-protocols) (writer).
policy-allowed-tags (reader).
(setf policy-allowed-tags) (writer).
policy-escape-cdata (reader).
(setf policy-escape-cdata) (writer).
policy-remove-comments (reader).
(setf policy-remove-comments) (writer).

Internals

attribute-allowed-p (function).
copy-policy (function).
get-allowed-attributes (function).
policy (structure).
policy-p (function).
protocol-allowed-p (function).
tag-allowed-p (function).

Previous: sanitize-html/src/policies.lisp, Up: Lisp [Contents][Index]

3.1.4 `sanitize-html/src/sanitizer.lisp`

Dependency

src/policies.lisp (file).

Source

sanitize-html.asd.

Parent Component

sanitize-html (system).

Public Interface

safe-url-p (function).
sanitize (function).
sanitize-html (function).
sanitize-url (function).

Internals

remove-element-keep-children (function).
remove-event-handlers (function).
sanitize-attributes (function).
sanitize-css (function).
sanitize-node (generic function).
sanitize-style-attribute (function).
sanitize-url-attribute (function).
set-safe-defaults (function).

Next: Definitions, Previous: Files, Up: The sanitize-html Reference Manual [Contents][Index]

4 Packages

Packages are listed by definition order.

sanitize-html

Previous: Packages, Up: Packages [Contents][Index]

4.1 `sanitize-html`

OWASP-style HTML sanitization library for Common Lisp

Source

src/package.lisp.

Use List

common-lisp.

Public Interface

*default-policy* (special variable).
*email-policy* (special variable).
*strict-policy* (special variable).
make-policy (function).
policy-allowed-attributes (reader).
(setf policy-allowed-attributes) (writer).
policy-allowed-css-properties (reader).
(setf policy-allowed-css-properties) (writer).
policy-allowed-protocols (reader).
(setf policy-allowed-protocols) (writer).
policy-allowed-tags (reader).
(setf policy-allowed-tags) (writer).
policy-escape-cdata (reader).
(setf policy-escape-cdata) (writer).
policy-remove-comments (reader).
(setf policy-remove-comments) (writer).
safe-url-p (function).
sanitize (function).
sanitize-html (function).
sanitize-url (function).

Internals

attribute-allowed-p (function).
copy-policy (function).
get-allowed-attributes (function).
policy (structure).
policy-p (function).
protocol-allowed-p (function).
remove-element-keep-children (function).
remove-event-handlers (function).
sanitize-attributes (function).
sanitize-css (function).
sanitize-node (generic function).
sanitize-style-attribute (function).
sanitize-url-attribute (function).
set-safe-defaults (function).
tag-allowed-p (function).

Next: Indexes, Previous: Packages, Up: The sanitize-html Reference Manual [Contents][Index]

5 Definitions

Definitions are sorted by export status, category, package, and then by lexicographic order.

Public Interface
Internals

Next: Internals, Previous: Definitions, Up: Definitions [Contents][Index]

5.1 Public Interface

Special variables
Ordinary functions

Next: Ordinary functions, Previous: Public Interface, Up: Public Interface [Contents][Index]

5.1.1 Special variables

Special Variable: *default-policy* ¶

Default sanitization policy - balanced for general content

Package: sanitize-html.
Source: src/policies.lisp.

Special Variable: *email-policy* ¶

Email policy - allows common email HTML formatting

Package: sanitize-html.
Source: src/policies.lisp.

Special Variable: *strict-policy* ¶

Strict policy - minimal allowed HTML

Package: sanitize-html.
Source: src/policies.lisp.

Previous: Special variables, Up: Public Interface [Contents][Index]

5.1.2 Ordinary functions

Function: make-policy (&key allowed-tags allowed-attributes allowed-protocols allowed-css-properties remove-comments escape-cdata) ¶

Package: sanitize-html.
Source: src/policies.lisp.

Reader: policy-allowed-attributes (instance) ¶

Writer: (setf policy-allowed-attributes) (instance) ¶

Package: sanitize-html.
Source: src/policies.lisp.
Target Slot: allowed-attributes.

Reader: policy-allowed-css-properties (instance) ¶

Writer: (setf policy-allowed-css-properties) (instance) ¶

Package: sanitize-html.
Source: src/policies.lisp.
Target Slot: allowed-css-properties.

Reader: policy-allowed-protocols (instance) ¶

Writer: (setf policy-allowed-protocols) (instance) ¶

Package: sanitize-html.
Source: src/policies.lisp.
Target Slot: allowed-protocols.

Reader: policy-allowed-tags (instance) ¶

Writer: (setf policy-allowed-tags) (instance) ¶

Package: sanitize-html.
Source: src/policies.lisp.
Target Slot: allowed-tags.

Reader: policy-escape-cdata (instance) ¶

Writer: (setf policy-escape-cdata) (instance) ¶

Package: sanitize-html.
Source: src/policies.lisp.
Target Slot: escape-cdata.

Reader: policy-remove-comments (instance) ¶

Writer: (setf policy-remove-comments) (instance) ¶

Package: sanitize-html.
Source: src/policies.lisp.
Target Slot: remove-comments.

Function: safe-url-p (url &optional policy) ¶

Check if URL is safe according to POLICY

Package: sanitize-html.
Source: src/sanitizer.lisp.

Function: sanitize (html-string &optional policy) ¶

Alias for SANITIZE-HTML

Package: sanitize-html.
Source: src/sanitizer.lisp.

Function: sanitize-html (html-string &optional policy) ¶

Sanitize HTML-STRING according to POLICY. Returns sanitized HTML string. This is the main entry point for HTML sanitization.

Package: sanitize-html.
Source: src/sanitizer.lisp.

Function: sanitize-url (url &optional policy) ¶

Return URL if safe, nil otherwise

Package: sanitize-html.
Source: src/sanitizer.lisp.

Previous: Public Interface, Up: Definitions [Contents][Index]

5.2 Internals

Ordinary functions
Generic functions
Structures

Next: Generic functions, Previous: Internals, Up: Internals [Contents][Index]

5.2.1 Ordinary functions

Function: attribute-allowed-p (policy tag-name attr-name) ¶

Check if ATTR-NAME is allowed for TAG-NAME by POLICY

Package: sanitize-html.
Source: src/policies.lisp.

Function: copy-policy (instance) ¶

Package: sanitize-html.
Source: src/policies.lisp.

Function: get-allowed-attributes (policy tag-name) ¶

Get list of allowed attributes for TAG-NAME according to POLICY

Package: sanitize-html.
Source: src/policies.lisp.

Function: policy-p (object) ¶

Package: sanitize-html.
Source: src/policies.lisp.

Function: protocol-allowed-p (policy url) ¶

Check if URL uses an allowed protocol according to POLICY

Package: sanitize-html.
Source: src/policies.lisp.

Function: remove-element-keep-children (element) ¶

Remove ELEMENT but keep its children in the same position

Package: sanitize-html.
Source: src/sanitizer.lisp.

Function: remove-event-handlers (element) ¶

Remove all event handler attributes (onclick, onload, etc.)

Package: sanitize-html.
Source: src/sanitizer.lisp.

Function: sanitize-attributes (element policy) ¶

Remove disallowed attributes from ELEMENT according to POLICY

Package: sanitize-html.
Source: src/sanitizer.lisp.

Function: sanitize-css (css-string allowed-properties) ¶

Sanitize CSS string, keeping only allowed properties

Package: sanitize-html.
Source: src/sanitizer.lisp.

Function: sanitize-style-attribute (element policy) ¶

Sanitize inline CSS in style attribute

Package: sanitize-html.
Source: src/sanitizer.lisp.

Function: sanitize-url-attribute (element attr-name policy) ¶

Sanitize URL in attribute ATTR-NAME of ELEMENT

Package: sanitize-html.
Source: src/sanitizer.lisp.

Function: set-safe-defaults (element) ¶

Set safe default attributes on certain elements

Package: sanitize-html.
Source: src/sanitizer.lisp.

Function: tag-allowed-p (policy tag-name) ¶

Check if TAG-NAME is allowed by POLICY

Package: sanitize-html.
Source: src/policies.lisp.

Next: Structures, Previous: Ordinary functions, Up: Internals [Contents][Index]

5.2.2 Generic functions

Generic Function: sanitize-node (node policy) ¶

Sanitize a Plump DOM node according to policy

Package

sanitize-html.

Source

src/sanitizer.lisp.

Methods

Method: sanitize-node (node policy) ¶: Default case for unknown node types - remove them

Method: sanitize-node ((node cdata) policy) ¶: Handle CDATA sections based on policy

Method: sanitize-node ((node comment) policy) ¶: Remove or keep comment nodes based on policy

Method: sanitize-node ((node text-node) policy) ¶: Text nodes are always safe, no action needed

Method: sanitize-node ((node element) policy) ¶: Sanitize an HTML element node

Method: sanitize-node ((node root) policy) ¶: Sanitize all children of root node

Previous: Generic functions, Up: Internals [Contents][Index]

5.2.3 Structures

Structure: policy ¶

Sanitization policy defining what HTML elements, attributes, and protocols are allowed

Package

sanitize-html.

Source

src/policies.lisp.

Direct superclasses

structure-object.

Direct slots

Slot: allowed-tags ¶

Type: list
Readers: policy-allowed-tags.
Writers: (setf policy-allowed-tags).

Slot: allowed-attributes ¶

Type: list
Readers: policy-allowed-attributes.
Writers: (setf policy-allowed-attributes).

Slot: allowed-protocols ¶

Type: list
Initform: (quote ("http" "https" "mailto"))
Readers: policy-allowed-protocols.
Writers: (setf policy-allowed-protocols).

Slot: allowed-css-properties ¶

Type: list
Readers: policy-allowed-css-properties.
Writers: (setf policy-allowed-css-properties).

Slot: remove-comments ¶

Type: boolean
Initform: t
Readers: policy-remove-comments.
Writers: (setf policy-remove-comments).

Slot: escape-cdata ¶

Type: boolean
Initform: t
Readers: policy-escape-cdata.
Writers: (setf policy-escape-cdata).

Previous: Definitions, Up: The sanitize-html Reference Manual [Contents][Index]

Appendix A Indexes

Concepts
Functions
Variables
Data types

Next: Functions, Previous: Indexes, Up: Indexes [Contents][Index]

A.1 Concepts

Next: Variables, Previous: Concepts, Up: Indexes [Contents][Index]

A.2 Functions

Jump to:	( A C F G M P R S T

	Index Entry	Section

(
	`(setf policy-allowed-attributes)`:	Public ordinary functions
	`(setf policy-allowed-css-properties)`:	Public ordinary functions
	`(setf policy-allowed-protocols)`:	Public ordinary functions
	`(setf policy-allowed-tags)`:	Public ordinary functions
	`(setf policy-escape-cdata)`:	Public ordinary functions
	`(setf policy-remove-comments)`:	Public ordinary functions

A
	`attribute-allowed-p`:	Private ordinary functions

C
	`copy-policy`:	Private ordinary functions

F
	`Function, (setf policy-allowed-attributes)`:	Public ordinary functions
	`Function, (setf policy-allowed-css-properties)`:	Public ordinary functions
	`Function, (setf policy-allowed-protocols)`:	Public ordinary functions
	`Function, (setf policy-allowed-tags)`:	Public ordinary functions
	`Function, (setf policy-escape-cdata)`:	Public ordinary functions
	`Function, (setf policy-remove-comments)`:	Public ordinary functions
	`Function, attribute-allowed-p`:	Private ordinary functions
	`Function, copy-policy`:	Private ordinary functions
	`Function, get-allowed-attributes`:	Private ordinary functions
	`Function, make-policy`:	Public ordinary functions
	`Function, policy-allowed-attributes`:	Public ordinary functions
	`Function, policy-allowed-css-properties`:	Public ordinary functions
	`Function, policy-allowed-protocols`:	Public ordinary functions
	`Function, policy-allowed-tags`:	Public ordinary functions
	`Function, policy-escape-cdata`:	Public ordinary functions
	`Function, policy-p`:	Private ordinary functions
	`Function, policy-remove-comments`:	Public ordinary functions
	`Function, protocol-allowed-p`:	Private ordinary functions
	`Function, remove-element-keep-children`:	Private ordinary functions
	`Function, remove-event-handlers`:	Private ordinary functions
	`Function, safe-url-p`:	Public ordinary functions
	`Function, sanitize`:	Public ordinary functions
	`Function, sanitize-attributes`:	Private ordinary functions
	`Function, sanitize-css`:	Private ordinary functions
	`Function, sanitize-html`:	Public ordinary functions
	`Function, sanitize-style-attribute`:	Private ordinary functions
	`Function, sanitize-url`:	Public ordinary functions
	`Function, sanitize-url-attribute`:	Private ordinary functions
	`Function, set-safe-defaults`:	Private ordinary functions
	`Function, tag-allowed-p`:	Private ordinary functions

G
	`Generic Function, sanitize-node`:	Private generic functions
	`get-allowed-attributes`:	Private ordinary functions

M
	`make-policy`:	Public ordinary functions
	`Method, sanitize-node`:	Private generic functions
	`Method, sanitize-node`:	Private generic functions
	`Method, sanitize-node`:	Private generic functions
	`Method, sanitize-node`:	Private generic functions
	`Method, sanitize-node`:	Private generic functions
	`Method, sanitize-node`:	Private generic functions

P
	`policy-allowed-attributes`:	Public ordinary functions
	`policy-allowed-css-properties`:	Public ordinary functions
	`policy-allowed-protocols`:	Public ordinary functions
	`policy-allowed-tags`:	Public ordinary functions
	`policy-escape-cdata`:	Public ordinary functions
	`policy-p`:	Private ordinary functions
	`policy-remove-comments`:	Public ordinary functions
	`protocol-allowed-p`:	Private ordinary functions

R
	`remove-element-keep-children`:	Private ordinary functions
	`remove-event-handlers`:	Private ordinary functions

S
	`safe-url-p`:	Public ordinary functions
	`sanitize`:	Public ordinary functions
	`sanitize-attributes`:	Private ordinary functions
	`sanitize-css`:	Private ordinary functions
	`sanitize-html`:	Public ordinary functions
	`sanitize-node`:	Private generic functions
	`sanitize-node`:	Private generic functions
	`sanitize-node`:	Private generic functions
	`sanitize-node`:	Private generic functions
	`sanitize-node`:	Private generic functions
	`sanitize-node`:	Private generic functions
	`sanitize-node`:	Private generic functions
	`sanitize-style-attribute`:	Private ordinary functions
	`sanitize-url`:	Public ordinary functions
	`sanitize-url-attribute`:	Private ordinary functions
	`set-safe-defaults`:	Private ordinary functions

T
	`tag-allowed-p`:	Private ordinary functions

Next: Data types, Previous: Functions, Up: Indexes [Contents][Index]

A.3 Variables

Jump to:	* A E R S

	Index Entry	Section

*
	`default-policy`:	Public special variables
	`email-policy`:	Public special variables
	`strict-policy`:	Public special variables

A
	`allowed-attributes`:	Private structures
	`allowed-css-properties`:	Private structures
	`allowed-protocols`:	Private structures
	`allowed-tags`:	Private structures

E
	`escape-cdata`:	Private structures

R
	`remove-comments`:	Private structures

S
	`Slot, allowed-attributes`:	Private structures
	`Slot, allowed-css-properties`:	Private structures
	`Slot, allowed-protocols`:	Private structures
	`Slot, allowed-tags`:	Private structures
	`Slot, escape-cdata`:	Private structures
	`Slot, remove-comments`:	Private structures
	`Special Variable, default-policy`:	Public special variables
	`Special Variable, email-policy`:	Public special variables
	`Special Variable, strict-policy`:	Public special variables

Previous: Variables, Up: Indexes [Contents][Index]

A.4 Data types

Jump to:	F P S

	Index Entry	Section

F
	`File, sanitize-html.asd`:	The sanitize-html/sanitize-html․asd file
	`File, src/package.lisp`:	The sanitize-html/src/package․lisp file
	`File, src/policies.lisp`:	The sanitize-html/src/policies․lisp file
	`File, src/sanitizer.lisp`:	The sanitize-html/src/sanitizer․lisp file

P
	`Package, sanitize-html`:	The sanitize-html package
	`policy`:	Private structures

S
	`sanitize-html`:	The sanitize-html system
	`sanitize-html`:	The sanitize-html package
	`sanitize-html.asd`:	The sanitize-html/sanitize-html․asd file
	`src/package.lisp`:	The sanitize-html/src/package․lisp file
	`src/policies.lisp`:	The sanitize-html/src/policies․lisp file
	`src/sanitizer.lisp`:	The sanitize-html/src/sanitizer․lisp file
	`Structure, policy`:	Private structures
	`System, sanitize-html`:	The sanitize-html system

The sanitize-html Reference Manual

Table of Contents

1 Introduction

2 Systems

2.1 sanitize-html

3 Files

3.1 Lisp

3.1.1 sanitize-html/sanitize-html.asd

3.1.2 sanitize-html/src/package.lisp

3.1.3 sanitize-html/src/policies.lisp

3.1.4 sanitize-html/src/sanitizer.lisp

4 Packages

4.1 sanitize-html

5 Definitions

5.1 Public Interface

5.1.1 Special variables

5.1.2 Ordinary functions

5.2 Internals

5.2.1 Ordinary functions

5.2.2 Generic functions

5.2.3 Structures

Appendix A Indexes

A.1 Concepts

A.2 Functions

A.3 Variables

A.4 Data types

2.1 `sanitize-html`

3.1.1 `sanitize-html/sanitize-html.asd`

3.1.2 `sanitize-html/src/package.lisp`

3.1.3 `sanitize-html/src/policies.lisp`

3.1.4 `sanitize-html/src/sanitizer.lisp`

4.1 `sanitize-html`