jsftaglibhtml-escape

JSF OutputText with html style


I need a output text which works like h:outputText with escape="false" attribute, but doesn't let scripts to run. After a little search I found tr:outputFormatted makes that, but in our project we doesn't use trinidad. Is there something like outputFormatted in tomahawk, or in another taglib?

for example,

<h:outputText id="id" value="<b>test text</b><script type="text/javascipt">alert('I dont want these alert to show');</script>" escape="false"/>

that shows 'test text' bold but it popups the alert dialog too, I don't want the script to run. it can write script code or delete it but shouldn't run.


Solution

  • Use a HTML parser to get rid of those malicious things.

    Among others, Jsoup is capable of this. Here's an extract of relevance from its site.

    Sanitize untrusted HTML

    Problem

    You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission). You need to clean this HTML to avoid cross-site scripting (XSS) attacks.

    Solution

    Use the jsoup HTML Cleaner with a configuration specified by a Whitelist.

    String unsafe = 
          "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
    String safe = Jsoup.clean(unsafe, Whitelist.basic());
          // now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>
    

    So, all you basically need to do is the the following during preparing the text:

    String sanitizedText = Jsoup.clean(rawText, Whitelist.basic());
    

    (you can do it before or after saving the text in DB, but keep in mind that when doing it before without saving the original text, you can't detect malicious users and do social actions anymore)

    and then display it as follows:

    <h:outputText value="#{bean.sanitizedText}" escape="false" />