Vaadin framework has this useful RichTextArea component. It is however possible for users to insert harmful javascript for example into this field so the value of the field should be sanitized before saving.
What would be the Vaadin way of doing this? Book of Vaadin only mentions that the field "should be sanitized" yet doesn't give a hint of how to actually do it. Asking in the forums a week ago didn't get any replies.
I don't want to add anymore libraries to the project for this purpose. How would one go on about making his own RichTextArea sanitizer in Java with or without Vaadin?
The easiest approach is to use JSoup, which comes with Vaadin 7 (vaadin-server depends on it). E.g.:
Jsoup.clean(richTextArea.getValue(), Whitelist.simpleText())
See Jsoup.clean
public static String clean(String bodyHtml, Whitelist whitelist)Get safe HTML from untrusted input HTML, by parsing input HTML and filtering it through a white-list of permitted tags and attributes.
Parameters:
bodyHtml- input untrusted HTML (body fragment)
whitelist- white-list of permitted HTML elementsReturns:
safe HTML (body fragment)
and Whitelist
public class Whitelist extends ObjectWhitelists define what HTML (elements and attributes) to allow through the cleaner. Everything else is removed.
Start with one of the defaults:
none()simpleText()basic()basicWithImages()relaxed()