Configuring exclusions for `Encode.forHtml()`

Question

Configuring exclusions for `Encode.forHtml()`

sgsvnk opened this issue 4 years ago · 5 comments

Hi

I'm trying to exclude a few HTML tags from getting encoded through Encode.forHtml(). If I understand correctly, the encoder encodes all HTML tags within HTML contexts. Can you please help me understand if I can configure the encoder to exclude a list of HTML tags?

Answer 1 · 2020-11-08T19:17:30.000Z

Sorry for the delayed reply. It sounds like you are looking more for something like an HTML sanitizer like DOM Purify - https://github.com/cure53/DOMPurify

Answer 2 · 2020-11-09T18:29:53.000Z

I wanted to do something on the server side, which is Java in my case. I was exploring DOMPurify but I will either have to do on an intermediate NodeJS server or on the front-end, and I can do neither in my case.

Answer 3 · 2020-11-09T20:07:43.000Z

Alternately instead of DOMPurify, you could also use either OWASP HTML Sanitizer <https://github.com/OWASP/java-html-sanitizer> or OWASP AntiSamy <https://github.com/nahsra/antisamy>, both of which will work with pure Java and doesn't require NodeJS.

…

-kevin -- Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall NSA: All your crypto bit are belong to us.

On Mon, Nov 9, 2020, 13:30 Venky Soorisetty ***@***.***> wrote: I wanted to do something on the server side, which is Java in my case. I was exploring DOMPurify but I will either have to do on an intermediate NodeJS server or on the front-end, and I can do neither in my case. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#38 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAO6PGZM6Y7IYNVYPRZDNRTSPAYLDANCNFSM4QNOVEZA> .

Answer 4 · 2020-11-09T20:59:13.000Z

DOMPurify is client-side, primarily.

…

-- Jim Manico @manicode

On Nov 9, 2020, at 8:30 AM, Venky Soorisetty ***@***.***> wrote: I wanted to do something on the server side, which is Java in my case. I was exploring DOMPurify but I will either have to do on an intermediate NodeJS server or on the front-end, and I can do neither in my case. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

Answer 5 · 2020-11-22T21:18:58.000Z

Thanks for your support. I needed to do this server side, I ended up using owasp-html-sanitizer as suggested.