The requirement for any site that accepts user supplied content, short of blocking or disabling all rich content, usually involves the use of Black-Lists and/or white-lists. The problem with using a black-list is that it only defends against “known
bad”. Security driven by a black list is costly to write and maintain because it must be constantly updated for every new attack. Inversely, a white-lists approach assumes everything is bad, except what is “known good”. For sites
that support user generated content, the white list approach is very restrictive as it could limit the flexibility and depth of the user experience. As such the most flexible approach is usually a combination of both.
To accommodate the scenarios of supporting strong security without necessarily compromising user experience, this tool has been developed to be extensible to end-users (Developers). The out of the box functionally supports
common HTML tags and attributes. The white-list approach is enforced with strong conformance requirements which ensure only data that meets known structure requirements are re-emitted out of the sanitizer while the black list approach is achieved through
extensible and configurable design to allow users to adjust the behavior as needed.