{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 乱世女痞 的问题《Safe html in java》','https://www.manongdao.com/q-1286649.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have some input containing HTML like <br> <b> <i> etc. I need a way to escape only the "bad" HTML that exposes my site to XSS etc.
After hours of Googeling I found the GWT which looks kinda promising.
What is the recommended way to escape bad HTML?
Edit:
Let me clear things up.
I am using a javascript text editor which outputs html. Wouldn't it be much easier if i use something like bbcode?
Google caja is a tool for making third party HTML, CSS and JavaScript safe to embed in your website.
OWASP AntiSamy is a project for just that. If you need users to be able to submit structured text, look at markdown (imho a lot better than BBCode).
Playframework 2 already offers a solution.
the
@Html()function filters bad html, which is really nice.I really love play2
You might want to just escape all html. If you want to have users be able to use basic html tags like
<b>or<i>then you could just replace them with [b] and [i] (if your forum/whatever you're creating can use bbcode), then just replace all"<"and">"with"<"and">".