Reputation: 16148
Safe html in java
I have some input containing HTML like <br> <b> <i> etc. I need a way to escape only the "bad" HTML that exposes my site to XSS etc.
After hours of Googeling I found the GWT which looks kinda promising.
What is the recommended way to escape bad HTML?
Edit:
Let me clear things up.
I am using a javascript text editor which outputs html. Wouldn't it be much easier if i use something like bbcode?
Upvotes: 2
Views: 1493
Answers (4)
Reputation: 4416
OWASP AntiSamy is a project for just that. If you need users to be able to submit structured text, look at markdown (imho a lot better than BBCode).
Upvotes: 2
Reputation: 545
You might want to just escape all html. If you want to have users be able to use basic html tags like <b> or <i> then you could just replace them with [b] and [i] (if your forum/whatever you're creating can use bbcode), then just replace all "<" and ">" with "<" and ">".
Upvotes: 1
Reputation: 16148
Playframework 2 already offers a solution.
the @Html() function filters bad html, which is really nice.
I really love play2
Upvotes: 1
Reputation: 1783
Google caja is a tool for making third party HTML, CSS and JavaScript safe to embed in your website.
Upvotes: 1
Related Questions
- I am not sure how to perform html escaping in my java project to prevent XSS
- How to sanitize HTML code in Java to prevent XSS attacks?
- Java escape HTML
- Guide to proper escaping in Play framework
- Escaping HTML in a Java Play Framework Scala Template
- Play Framework [1.2.4]:Escape HTML in view layer
- XSS prevention in playframework1.2.4
- Java 5 HTML escaping To Prevent XSS
- Html escaping in java?
- Escaping html in Java