SimpleHtmlSanitizer is too much simple, where can I find a complete one?

106 views
Skip to first unread message

gong min

unread,
Sep 18, 2012, 2:00:12 PM9/18/12
to google-web-toolkit
Dear all

I want to save RichTextArea content into database, and it will show in HTML widgets later. Before save, RichTextArea.getHtml() will return HTML String, I have to Sanitize this String by SimpleHtmlSanitizer. But it is  too much simple, even <u> <br> are not supported, where can I find a complete one?

Btw, Is there any best practice for RichTextArea? there is no standard ToolBar, no devGuide for RichTextArea. What is the target behavior when you paste something from Ms word or OpenOffice or other HTML page? Seems HTML Tags and css will pasted, but javascript will not be pasted. But I don't know whether it will be changed in future.
Also, why RichTextArea doesn't provide some method like getSafeHtml()?

--
Gong Min

Ed

unread,
Sep 18, 2012, 6:12:24 PM9/18/12
to google-we...@googlegroups.com
supported, where can I find a complete one? 
Why not make one yourself?
The one in GWT is just an example...
(I made one myself based on the GWT one).
 

Op dinsdag 18 september 2012 16:01:45 UTC+2 schreef 退5的工科苹岷 het volgende:

Brandon Donnelson

unread,
Sep 19, 2012, 5:24:54 AM9/19/12
to google-we...@googlegroups.com
I copied it and added all the tags I need. :)

gong min

unread,
Sep 20, 2012, 2:10:51 AM9/20/12
to google-we...@googlegroups.com
yes, I know I can  added all the tags I need. But how about HTML tag attributes? css? I want to keep as many as HTML's capability, but also keep far away from HTML xss attacks. I am realy a newbie, not only web but also java. I realy don't know how many things shold be considered.

Also, if it works with RichTextArea, it becomes more complex. You don't know RichTextArea's target behavior. Can I trust  RichTextArea.getHTML()? Can I use SafeHtmlUtils.fromTrustedString(RichTextArea.getHTML()) to avoid HTML xss attacks? RichTextArea seems will escape the content what you key in, but you can copy from other HTML page and Ms word, openoffice and paste them in. Is it safe for xss attack?
Someone also metioned HTML optimization for paste from word and openoffice, because there are too many useless HTML Tags, and it realy suck database space.

This is the reason I hope there is an official sanitizer or devGuide for RichTextArea.


2012/9/19 Brandon Donnelson <branfl...@gmail.com>
I copied it and added all the tags I need. :)

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/IyR9vXDFWCkJ.

To post to this group, send email to google-we...@googlegroups.com.
To unsubscribe from this group, send email to google-web-tool...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.



--
Gong Min
Reply all
Reply to author
Forward
0 new messages