Home/ Questions/Q 8166973
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T20:03:47+00:00

in my application i have some tinymce editors and the userinput is shown with

  • 0

in my application i have some tinymce editors and the userinput is shown with

<h:outputText escape="false"/>

but how can i prevent malicious input, like javascript or iframes? Is there any lib which can filter the input strings?

UPDATE:
i found “htmlpurifier” but it is for php, is there anyting like this for java?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You’d need to use a HTML parser which supports cleaning/whitelisting tags/attributes. Among them there’s Jsoup, it has a clean() method for exactly this purpose. Here’s an extract of relevance from its site.

    Sanitize untrusted HTML

    Problem

    You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission). You need to clean this HTML to avoid cross-site scripting (XSS) attacks.

    Solution

    Use the jsoup HTML Cleaner with a configuration specified by a Whitelist.

    String unsafe = 
      "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
      // now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>
    • 0