Warning! This documentation is a work in progress. Expect things to be out of date and not actually work according to instructions.
There is a simple helper class that wraps the OWASP Java HTML Sanitizer Project
import io.stallion.utils.Sanitize; // Sanitize for publicly submitted comments in a comments thread String html = Sanitize.commentSanitize(raw); // Strips all dangerous tags, and most advanced tags like tables, leaves basic tags like divs, links and formatting tags String html = Sanitize.basicSanitize(raw); // Like basic sanitize, but allow images String html = Sanitize.basicSanitizeWithImages(raw); // This serializes an object to JSON and escapes it to be included in the <script> section of an HTML page. String jsonForHtml = Sanitize.htmlSafeJson(myObject); You can use this in a template: var authorInformation = ; // Strip all tags String text = Sanitize.stripAll(html);
You of course can use the OWASP library directly to build your own sanitization policies.