How filter user input for bad HTML/Javascript

[andrew_null]

Hey guys,

I'm writing an app that accepts user input in the form of free-form text.

The problem is that the Spring HTML escaping tags are WAY too harsh for me. I want to allow links, <IMG SRC...> and formatting like <br/>, etc, but not free-form Javascript, stylesheets, etc.

With the Spring tags, I can turn the HTML and JavaScript off completely, but nothing in between.

Do you guys have any thoughts on how to best deal with this?

Ideally, we would pass in a list of valid tags into a parser, and then ask it to automatically parse and/or validate the user input.

Any other good approaches, or libraries? Like a modular Java-based BBCode type implementation?

Any thoughts would be welcome.

Andrew
Seattle, WA

[katentim]

but nothing in between

Can you define exactly how this should behave?

ask it to automatically parse and/or validate the user input

Do you mean check for valid HTML tags?

[andrew_null]

So rather than strip out ALL the HTML, I want to allow some in there. For example, I'd like to allow <P>, <I>, <IMG SRC ... >, <A HREF ...> , etc., but not allow tables of stylesheets of Javascript.

My question is, are there folks using any libraries to automatically parse the user input to strip out bad tags and allow good tags?

It seems like one of these things that everyone probably has their home-cooked set of regexes for, but it would be nice to use something more standard.

[jozeph78]

I see this thread is 3 years old but I did the due diligence of searching and found this thread. Is there such an API in Spring (or elsewhere) or should I just start writing some RegEx'es?