For the history here is library: https://github.com/owasp/java-html-sanitizer
Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Thu, Feb 9, 2017 at 11:28 PM, daniel simko <[email protected]> wrote: > Thank you Martin! This is exactly what I was looking for. > > 2017-02-09 13:03 GMT+01:00 Martin Grigorov <[email protected]>: > > > Hi, > > > > Check https://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer > > > > Martin Grigorov > > Wicket Training and Consulting > > https://twitter.com/mtgrigorov > > > > On Thu, Feb 9, 2017 at 12:50 PM, daniel simko <[email protected]> > wrote: > > > > > Hello, > > > > > > I would like to ask you whether there is some safe way how to display > > html > > > output from some rich editor (e.g. TinyMCE)? In order to display html > it > > is > > > necessary to switch off model escaping [1] which is opening a door for > > XSS. > > > I was thinking about some converter [2] which would escape only JS > > related > > > stuff (e.g. <script>, onclick, ...) but I didn't find any escaping > > method > > > which works this way. > > > > > > Thank you, > > > Dan > > > > > > [1] > > > https://github.com/wicketstuff/core/blob/master/ > > tinymce4-parent/tinymce4- > > > examples/src/main/java/wicket/contrib/examples/tinymce/ > > > InlineTinyMCEPage.java#L24 > > > [2] https://gist.github.com/dsimko/2cd931444ba93a1c841e2d3f4fed0db8 > > > > > >
