We are adding Rich Text Editing to our site, including ability to add youtube videos. But from the other hand we want to be still secure and prevent XSS/HTML injections. Previously we have used following code for escaping the data:
ESAPI.encoder().encodeForHTML
ESAPI.encoder().encodeForJavaScript
And now we have to add some kind of whitelist of allowed tags. Is there is way to implement this feature?
We have decided to use Jsoup instead on ESAPI. Now code looks like that:
protected String encodeHtml(String html) {
return Jsoup.clean(html, getWhitelist());
}
private Whitelist getWhitelist() {
return new Whitelist()
.addTags("a", "b", "blockquote", "br", "caption", "cite", "code", "col", "colgroup", "dd", "div", "dl",
"dt", "em", "h1", "h2", "h3", "h4", "h5", "h6", "i", "img", "li", "ol", "p", "pre", "q",
"small", "strike", "strong", "sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead",
"tr", "u", "ul", "iframe")
.addAttributes("a", "href", "title").addAttributes("blockquote", "cite")
.addAttributes("col", "span", "width").addAttributes("colgroup", "span", "width")
.addAttributes("img", "align", "alt", "height", "src", "title", "width")
.addAttributes("ol", "start", "type").addAttributes("q", "cite")
.addAttributes("table", "summary", "width")
.addAttributes("td", "abbr", "axis", "colspan", "rowspan", "width")
.addAttributes("th", "abbr", "axis", "colspan", "rowspan", "scope", "width")
.addAttributes("ul", "type")
.addProtocols("a", "href", "ftp", "http", "https", "mailto")
.addProtocols("blockquote", "cite", "http", "https").addProtocols("img", "src", "http", "https")
.addProtocols("q", "cite", "http", "https");
}