i use jsoup for protect my app from XSS attack. i get all all input parameter and do Jsoup.clean on thats. but i have a problem with that.
it remove all inlined stylesheet! why? i have a part in my app that user can write a text and publish it as a announcement. he/she writes him/her text via TinyMCE and it add some html and stylesheet to user text. in the following you can see a example text created by tinymce:
User input: Center Aligned Text
TinyMCE result : <p style="text-align: center;">Center Aligned Text</p>
Jsoup.clean(text, Whitelist.relaxed()) output : <p>Center Aligned Text</p>
As can see Jsoup remove style of
tag. how i can say to it that don't remove simple css?
thanks.
By default Whitelist class removes style, but you can easily modify this behaviour and add support for style with addAttributes("p", "style").
Whitelist.relaxed().addAttributes("p", "style");
Explanation
This set attribute style to element p as ignored under cleaning. Only style from p will be not removed!
Simply copy paste this code and invoke from main.
public static void main(String[] args) {
String text = "<p style=\"text-align: center;\">Center Aligned Text</p>";
String clean = Jsoup.clean(text, Whitelist.relaxed()
.addAttributes("p", "style"));
System.out.println(clean);
}
<p style="text-align: center;">Center Aligned Text</p>
org.jsoup:jsoup:1.7.3