In order to achieve that, you basically need a standalone HTML parser. HTML parsing is rather complex and the task and responsibility of that is beyond the scope of JSF, PrimeFaces and OmniFaces. You’re supposed to just grab one of the many existing HTML parsing libraries. An example is Jsoup, it has even a separate … Read more
We’ve developed a simple HtmlSantizer and opensourced it here: https://github.com/jitbit/HtmlSanitizer Usage var result = HtmlSanitizer.SanitizeHtml(input); [Disclaimer! I’m one of the authors!]
We are using the HtmlSanitizer .Net library, which: Is open-source (MIT) – GitHub link Is fully customizable, e.g. configure which elements should be removed. see wiki Is actively maintained Doesn’t have the problems like Microsoft Anti-XSS library Is unit tested with the OWASP XSS Filter Evasion Cheat Sheet Is special built for this (in contrast … Read more
If you think URLs can’t contain code, think again! https://owasp.org/www-community/xss-filter-evasion-cheatsheet Read that, and weep. Here’s how we do it on Stack Overflow: /// <summary> /// returns “safe” URL, stripping anything outside normal charsets for URL /// </summary> public static string SanitizeUrl(string url) { return Regex.Replace(url, @”[^-A-Za-z0-9+&@#/%?=~_|!:,.;\(\)]”, “”); }
Update 2016: There is now a Google Closure package based on the Caja sanitizer. It has a cleaner API, was rewritten to take into account APIs available on modern browsers, and interacts better with Closure Compiler. Shameless plug: see caja/plugin/html-sanitizer.js for a client side html sanitizer that has been thoroughly reviewed. It is white-listed, not … Read more
For Angular 1.x, use ng-bind-html in the HTML: <div ng-bind-html=”thisCanBeusedInsideNgBindHtml”></div> At this point you would get a attempting to use an unsafe value in a safe context error so you need to either use ngSanitize or $sce to resolve that. $sce Use $sce.trustAsHtml() in the controller to convert the html string. $scope.thisCanBeusedInsideNgBindHtml = $sce.trustAsHtml(someHtmlVar); ngSanitize … Read more