How to implement a possibility for user to post some html-formatted data in a safe way?

by

Use a HTML parser which supports HTML filtering against a whitelist like Jsoup. Here’s an extract of relevance from its site.

Sanitize untrusted HTML

Problem

You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission). You need to clean this HTML to avoid cross-site scripting (XSS) attacks.

Solution

Use the jsoup HTML Cleaner with a configuration specified by a Whitelist.

String unsafe = 
      "<p><a href="http://example.com/" onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
      // now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>

And then to display it with whitespace preserved, apply CSS white-space: pre-wrap; on the HTML element where you’re displaying it.

No all-in-one JSF component comes to mind.

More Related Contents:

  1. When to move from Container managed security to alternatives like Apache Shiro, Spring Security?
  2. Why is char[] preferred over String for passwords?
  3. What components are MVC in JSF MVC framework?
  4. How to retrieve a file from a server via SFTP?
  5. Encrypt Password in Configuration Files? [closed]
  6. How to deal with a slow SecureRandom generator?
  7. Allowing Java to use an untrusted certificate for SSL/HTTPS connection
  8. Difference between java.util.Random and java.security.SecureRandom
  9. Execute managebean method from javascript onload event
  10. How do I create a Java sandbox?
  11. What is the security risk of object reflection?
  12. Difference between returning null and “” from a JSF action
  13. JSF 2: How show different ajax status in same input?
  14. How can I show/hide component with JSF?
  15. what is none scope bean and when to use it?
  16. Unit testing with Spring Security
  17. How to properly logout of a Java EE 6 Web Application after logging in
  18. Java and SSL – java.security.NoSuchAlgorithmException
  19. Disable Java reflection for the current thread
  20. Where is Visual Web Editor for JavaServer Faces on Netbeans
  21. How do you configure HttpOnly cookies in tomcat / java webapps?
  22. How to apply Spring Security filter only on secured endpoints?
  23. Prevent XXE Attack with JAXB
  24. Application vulnerability due to Non Random Hash Functions
  25. Simplest way to encrypt a text file in java
  26. How to make a redirection on page load in JSF 1.x
  27. AccessController.doPrivileged
  28. how to share a jsf error page between multiple wars
  29. javax.persistence.TransactionRequiredException in small facelet application
  30. Single role multiple IP addresses in Spring Security configuration

Leave a Comment