Home/ Questions/Q 971351
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T02:57:05+00:00

I have a textarea and I want to support some simplest formatting for posted

  • 0

I have a textarea and I want to support some simplest formatting for posted data (at least, whitespaces and line breaks).

How can I achieve this? If I will not escape the response and keep some html tags then it’ll be a great security hole. But I don’t see any other solution which will allow text formatting in browser.

So, I probably should filter user’s input. But how can I do this? Are there any ready to use solutions? I’m using JSF so are there any smart component which filters everything except html tags?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Use a HTML parser which supports HTML filtering against a whitelist like Jsoup. Here’s an extract of relevance from its site.

    Sanitize untrusted HTML

    Problem

    You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission). You need to clean this HTML to avoid cross-site scripting (XSS) attacks.

    Solution

    Use the jsoup HTML Cleaner with a configuration specified by a Whitelist.

    String unsafe = 
      "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
      // now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>

    And then to display it with whitespace preserved, apply CSS white-space: pre-wrap; on the HTML element where you’re displaying it.

    No all-in-one JSF component comes to mind.

    • 0