tags:

views:

61

answers:

2
+4  Q: 

How to implement a possibility for user to post some html-formatted data in a safe way?

I have a textarea and I want to support some simplest formatting for posted data (at least, whitespaces and line breaks).

How can I achieve this? If I will not escape the response and keep some html tags then it'll be a great security hole. But I don't see any other solution which will allow text formatting in browser.

So, I probably should filter user's input. But how can I do this? Are there any ready to use solutions? I'm using JSF so are there any smart component which filters everything except html tags?

+1  A: 

Is there some reason why you need to accept HTML instead of some other markup language, such as markdown (which is what StackOverflow uses)?

http://daringfireball.net/projects/markdown/

Not sure what kind of tags you'd want to accept that wouldn't be covered by md or a similar formatting language...

djacobson  2010-08-04 23:01:21
To reasons spring to mind: Markdown actually allows arbitrary HTML, so you still need to scrub it server-side. And allowing server-side cleaned HTML means you can use a rich text editor, rather than expecting users to learn a markup language.
Jonathan Hedley  2010-08-04 23:13:33
+1 Both good points: one of which I didn't know, the other didn't occur me.
djacobson  2010-08-04 23:58:53
More authorative you can't get ;) (Jonathan is the creator of Jsoup).
BalusC  2010-08-05 12:22:45
+4  A: 

Use a HTML parser which supports HTML filtering against a whitelist like Jsoup. Here's an extract of relevance from its site.

Sanitize untrusted HTML

Problem

You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission). You need to clean this HTML to avoid cross-site scripting (XSS) attacks.

Solution

Use the jsoup HTML Cleaner with a configuration specified by a Whitelist.

String unsafe = 
      "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
      // now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>

And then to display it with whitespace preserved, apply CSS white-space: pre; on the HTML element where you're displaying it.

No all-in-one JSF component comes to mind.

BalusC  2010-08-04 23:01:31
Thanks, I'll try it.
Roman  2010-08-04 23:11:16
You're welcome.
BalusC  2010-08-05 12:23:02

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java