2

I am working on a features where users can enter valid html markup and css and I render users web page. The problem is I am using OWASP AntiSamy Java libraries and its stripping out most of the modern HTML5 tags and CSS3 attributes. I looked at the policy file and it was quite outdated. I have been looking at other Sanitization Libraries like HTML Sanitizer and Google Caja, but I don't feel its doing anything extra. You still have to update your policy files as you find issues of stripping valid tags and styles.

I have been searching for a proper solution. Any recommendations on which library to use? Is there any advantage switching to HTML Sanitizer or Google Caja. Not sure if anyone has updated Antisamy policy files and open sourced it so that it supports new tags and style attributes.

Varun

varun
  • 2,014
  • 5
  • 17
  • 20

1 Answers1

1

I've had good experience with jsoup

All you need is a short snippet of code: 

String safe = Jsoup.clean(unsafe, Whitelist.basic());

You can add tags and attributes to the Whitelist object fairly easily, though I found it doesn't support namespaced tags.

The jsoup jar itself is small (200+KB) and unlike owasp java html sanitizer, it doesn't depend on the Guava library which is 1.6MB.

superkelvint
  • 178
  • 1
  • 5