Server side HTML sanitizer/cleanup for JSF

Question

Is there any HTML sanitizer or cleanup methods available in any JSF utilities kit or libraries like PrimeFaces/OmniFaces?

I need to sanitize HTML input by user via p

Answer 1

In order to achieve that, you basically need a standalone HTML parser. HTML parsing is rather complex and the task and responsibility of that is beyond the scope of JSF, PrimeFaces and OmniFaces. You're supposed to just grab one of the many existing HTML parsing libraries.

An example is Jsoup, it has even a separate method for the particular purpose of sanitizing HTML against a Whitelist: Jsoup#clean(). For example, if you want to allow some basic HTML without images, use Whitelist.basic():

String sanitizedHtml = Jsoup.clean(rawHtml, Whitelist.basic());

A completely different alternative is to use a specific text formatting syntax, such as Markdown (which is also used here). Basically all of those parsers also sanitize HTML under the covers. An example is Pegdown. Perhaps this is what you actually meant when you said "stackexchange style".

As to saving in DB, you'd better save both the raw and parsed forms in 2 separate text columns. The raw form should be redisplayed during editing. The parsed form should be updated in background when the raw form has been edited. During display, obviously only show the parsed form with escape="false".

See also:

• Markdown or HTML