Block Html Tag in h:inputTextarea
Question
I need to block Html Tags of ah:inputTextarea. The content of this textarea will be shown in an outputText with escape setted to false. It's setted to false cause i'm allowing to show links <a href...>.
When I click on save, it verifies the written words to check if is there a link, and if it is, we save on database with <a href...>
If this that i'm doing above is the wrong way to do it, let me know, but don't forget to try to help me out blocking html tags. If I'm wrong on how to do it, i'll do it later, but I need to fix this like i said it now :(
ty
1 answers
solution1
0 2011-06-16 13:45:52
You should use some other markup language like markdown instead of HTML to prevent XSS. If you allow the a-Tag, user could still write stuff like:
<a href="javascript:doSomethingEvil()">foo</a>
And if you go on and try to find and filter stuff like that too, take a look at these nice examples: http://ha.ckers.org/xss.html
EDIT: If is really the only tag, you want to allow and you just want to have clickable links, why don't you try to recognize URLs in text instead of forcing the user to write HTML? Check out this SO question .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.