I just converted one of our simple TextArea's into a RichTextArea (using the RichTextToolbar from the Showcase). I'm not quite sure I understand the best practices for using RichTextArea with SafeHtml.
GWT's RichTextArea.java has the methods: void setHTML(SafeHtml) String getHTML() Let's say I'm writing an app which let's the user: 1) Create new posts 2) Edit posts 3) Display posts ----- 1) Create new posts a) First, they create a post by typing in the RichTextArea using the various formatting buttons available in the toolbar. b) This post needs to be persisted somewhere (a database or whatever). Is it necessary to "sanitize" the user input at this point????? I assume it's not necessary. So we simply call RichTextArea.getHTML() and persist this raw string containing <span>'s, <b>'s etc. 2) Edit posts To edit the posts, we take the raw HTML the user previously entered that was persisted somewhere, and call RichTextArea.setHTML(SafeHtml). Right? The problem is we cannot generate SafeHtml that does not escape even the basic HTML outputted previously from the RichTextArea. For instance, RichTextArea generates <span>'s for most of the content. SafeHtmlUtils and SimpleHtmlSanitizer will escape this tag. I'm assuming using RichTextArea.setHTML(String) is a bad practice, so I'm looking for the proper way to do this. 3) Display posts Displaying posts is similar to editing them, but with the added problem that unless they're displayed in an iframe (or another RichTextArea), the post will look different than what the user inputted (since it inherits styles from the rest of the page). Can someone explain the best practices for using RichTextArea? I'm not really knowledgeable in this area. I'm starting to think that web applications actually do not store HTML at all for posts/discussions. They'll use some other markup like bbcode, markdown, wikipedia style, etc. If that's the case, why do all the rich text widgets (CKEditor, tinymce, GXT RTE, GWT RichTextArea output HTML instead of some other "safe" format? ... like RichTextArea.setRichText(RichText text) and RichTextArea.getRichText()... Hopefully someone can help explain this to me. Thanks! -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.