• Post Reply Bookmark Topic Watch Topic
  • New Topic

Selective escaping of HTML tags

 
Alex D Smith
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi everyone,

I've been searching and have yet to see anything like this yet. Does anyone know of any APIs that will handle performing escaping of an HTML string, BUT allow specifying tags that are NOT to be escaped?

With all the blog sites, discussion forums, and other community sites that enable users to modify the content of a page, but also restricting certain abilities (like no JavaScript, or perhaps no IMG tags, etc.), I would have thought this would be common by now.

I saw a Template JSP taglib that had an escape tag, but it was only escape all or none. I think it would be a wise idea to have simple APIs, taglibs, and/or filters that could perform escaping easily but allow definable exceptions. This would keep people from having to abandon the well developed escaping methods to build their own. With all the Cross-Site Scripting vulnerabilities that seem to pop up almost daily on the web, such things really should be made available to web developers. It would be nice to extend it to include a collection of escaping methods for other things as well, like to escape strings for use in SQL.

Anyway... my primary focus is looking for something that handles selective HTML escaping. Anyone know of any such thing?

Thanks!
-Alex
 
Alex D Smith
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
By the way, disregard my comments about escaping strings for use in SQL. This should be necessary if using good practices in Java in the first place (parameterized queries). Just have my head caught in a mix of languages where some don't have commonly included support for parameterized queries. But you get my drift as far as something that may be useful for escaping for various uses.

-Alex
 
Alan Moore
Ranch Hand
Posts: 262
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here's one I stumbled upon a while back:

http://josephoconnell.com/java/xss-html-filter/
 
Alex D Smith
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Alan,

Thanks a bunch. Looking at the source of that one, it looks like they've done much of what I started to do (except far more mature, considering I started on mine a couple days ago).

I think using that one and maybe integrating it into some taglibs to allow more programmatic definitions of what tags and attributes are acceptable in a JSP would be great.

Thanks again.

-Alex
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!