RichTextArea, SafeHtml, and general rich text best practices
986 views
Skip to first unread message
nogridbag
Mar 31, 2011, 1:36:38 PM3/31/11
to Google Web Toolkit
I just converted one of our simple TextArea's into a RichTextArea
(using the RichTextToolbar from the Showcase). I'm not quite sure I
understand the best practices for using RichTextArea with SafeHtml.
GWT's RichTextArea.java has the methods:
void setHTML(SafeHtml)
String getHTML()
Let's say I'm writing an app which let's the user:
1) Create new posts
2) Edit posts
3) Display posts
-----
1) Create new posts
a) First, they create a post by typing in the RichTextArea using the
various formatting buttons available in the toolbar.
b) This post needs to be persisted somewhere (a database or
whatever). Is it necessary to "sanitize" the user input at this
point????? I assume it's not necessary. So we simply call
RichTextArea.getHTML() and persist this raw string containing
<span>'s, <b>'s etc.
2) Edit posts
To edit the posts, we take the raw HTML the user previously entered
that was persisted somewhere, and call
RichTextArea.setHTML(SafeHtml). Right? The problem is we cannot
generate SafeHtml that does not escape even the basic HTML outputted
previously from the RichTextArea. For instance, RichTextArea
generates <span>'s for most of the content. SafeHtmlUtils and
SimpleHtmlSanitizer will escape this tag. I'm assuming using
RichTextArea.setHTML(String) is a bad practice, so I'm looking for the
proper way to do this.
3) Display posts
Displaying posts is similar to editing them, but with the added
problem that unless they're displayed in an iframe (or another
RichTextArea), the post will look different than what the user
inputted (since it inherits styles from the rest of the page).
Can someone explain the best practices for using RichTextArea? I'm
not really knowledgeable in this area. I'm starting to think that web
applications actually do not store HTML at all for posts/discussions.
They'll use some other markup like bbcode, markdown, wikipedia style,
etc. If that's the case, why do all the rich text widgets (CKEditor,
tinymce, GXT RTE, GWT RichTextArea output HTML instead of some other
"safe" format?
... like RichTextArea.setRichText(RichText text) and
RichTextArea.getRichText()...
Hopefully someone can help explain this to me.
Thanks!
(using the RichTextToolbar from the Showcase). I'm not quite sure I
understand the best practices for using RichTextArea with SafeHtml.
GWT's RichTextArea.java has the methods:
void setHTML(SafeHtml)
String getHTML()
Let's say I'm writing an app which let's the user:
1) Create new posts
2) Edit posts
3) Display posts
-----
1) Create new posts
a) First, they create a post by typing in the RichTextArea using the
various formatting buttons available in the toolbar.
b) This post needs to be persisted somewhere (a database or
whatever). Is it necessary to "sanitize" the user input at this
point????? I assume it's not necessary. So we simply call
RichTextArea.getHTML() and persist this raw string containing
<span>'s, <b>'s etc.
2) Edit posts
To edit the posts, we take the raw HTML the user previously entered
that was persisted somewhere, and call
RichTextArea.setHTML(SafeHtml). Right? The problem is we cannot
generate SafeHtml that does not escape even the basic HTML outputted
previously from the RichTextArea. For instance, RichTextArea
generates <span>'s for most of the content. SafeHtmlUtils and
SimpleHtmlSanitizer will escape this tag. I'm assuming using
RichTextArea.setHTML(String) is a bad practice, so I'm looking for the
proper way to do this.
3) Display posts
Displaying posts is similar to editing them, but with the added
problem that unless they're displayed in an iframe (or another
RichTextArea), the post will look different than what the user
inputted (since it inherits styles from the rest of the page).
Can someone explain the best practices for using RichTextArea? I'm
not really knowledgeable in this area. I'm starting to think that web
applications actually do not store HTML at all for posts/discussions.
They'll use some other markup like bbcode, markdown, wikipedia style,
etc. If that's the case, why do all the rich text widgets (CKEditor,
tinymce, GXT RTE, GWT RichTextArea output HTML instead of some other
"safe" format?
... like RichTextArea.setRichText(RichText text) and
RichTextArea.getRichText()...
Hopefully someone can help explain this to me.
Thanks!
nogridbag
Apr 4, 2011, 10:14:15 AM4/4/11
to Google Web Toolkit
I'm really looking for a reply to this. Surely someone must be using
GWT's RichTextArea.
GWT's RichTextArea.
Patrice De Saint Steban
Apr 5, 2011, 8:58:55 AM4/5/11
to google-we...@googlegroups.com
Hello,
I'm doing the same thing, and I write a new Sanitize class to accept more tags and parameters.
I use this sanitizer before and after the setHtml() and getHtml() of the RichTextArea.
I share the file in attachment, If there are some issues thanks to inform me.
Patrice
nogridbag
Apr 6, 2011, 9:41:30 AM4/6/11
to Google Web Toolkit
Thank you Patrice!
I'll take a look at it.
On Apr 5, 8:58 am, Patrice De Saint Steban
> ComplexeHtmlSanitizer.java
> 15KViewDownload
I'll take a look at it.
On Apr 5, 8:58 am, Patrice De Saint Steban
> 15KViewDownload
Marcus Franzen
May 9, 2011, 5:10:26 AM5/9/11
to Google Web Toolkit
Hi Patrice,
many thanks for sharing this Sanitizer. Just one question, did you use
your own URLValidator or is it the
org.apache.commons.validator.UrlValidator?
Just wondering because I didn't see any import statement for the
URLValidator.
Marcus
On 5 Apr., 14:58, Patrice De Saint Steban
> ComplexeHtmlSanitizer.java
> 15KAnzeigenHerunterladen
many thanks for sharing this Sanitizer. Just one question, did you use
your own URLValidator or is it the
org.apache.commons.validator.UrlValidator?
Just wondering because I didn't see any import statement for the
URLValidator.
Marcus
On 5 Apr., 14:58, Patrice De Saint Steban
> 15KAnzeigenHerunterladen
Marcus Franzen
May 9, 2011, 7:12:28 PM5/9/11
to Google Web Toolkit
I have tried to use the attached example but I am struggling with the
usage. First of all there is the class URLValidator used without any
import-statement, I guessed it could be the
org.apache.commons.validator.UrlValidator and I have imported this
one. This class can only be used at the server side, thus I can use
the sanitizer only at the server.
If I try to use it at the server I am having trouble with the
SafeHtmlBuilder, it is just throwing an exception out of the blue,
telling me that the class definition for the ParseException wasn't
found.
Any ideas?
> ComplexeHtmlSanitizer.java
> 15KAnzeigenHerunterladen
usage. First of all there is the class URLValidator used without any
import-statement, I guessed it could be the
org.apache.commons.validator.UrlValidator and I have imported this
one. This class can only be used at the server side, thus I can use
the sanitizer only at the server.
If I try to use it at the server I am having trouble with the
SafeHtmlBuilder, it is just throwing an exception out of the blue,
telling me that the class definition for the ParseException wasn't
found.
Any ideas?
> 15KAnzeigenHerunterladen
Reply all
Reply to author
Forward
0 new messages