Warning! This documentation is a work in progress. Expect things to be out of date and not actually work according to instructions.

Sanitizing HTML

There is a simple helper class that wraps the OWASP Java HTML Sanitizer Project

import io.stallion.utils.Sanitize; // Sanitize for publicly submitted comments in a comments thread String html = Sanitize.commentSanitize(raw); // Strips all dangerous tags, and most advanced tags like tables, leaves basic tags like divs, links and formatting tags String html = Sanitize.basicSanitize(raw); // Like basic sanitize, but allow images String html = Sanitize.basicSanitizeWithImages(raw); // This serializes an object to JSON and escapes it to be included in the <script> section of an HTML page. String jsonForHtml = Sanitize.htmlSafeJson(myObject); You can use this in a template: var authorInformation = ; // Strip all tags String text = Sanitize.stripAll(html);

You of course can use the OWASP library directly to build your own sanitization policies.

© 2024 Stallion Software LLC