Closed sgsvnk closed 3 years ago
Sorry for the delayed reply. It sounds like you are looking more for something like an HTML sanitizer like DOM Purify - https://github.com/cure53/DOMPurify
I wanted to do something on the server side, which is Java in my case. I was exploring DOMPurify
but I will either have to do on an intermediate NodeJS server or on the front-end, and I can do neither in my case.
Alternately instead of DOMPurify, you could also use either OWASP HTML Sanitizer https://github.com/OWASP/java-html-sanitizer or OWASP AntiSamy https://github.com/nahsra/antisamy, both of which will work with pure Java and doesn't require NodeJS.
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall NSA: All your crypto bit are belong to us.
On Mon, Nov 9, 2020, 13:30 Venky Soorisetty notifications@github.com wrote:
I wanted to do something on the server side, which is Java in my case. I was exploring DOMPurify but I will either have to do on an intermediate NodeJS server or on the front-end, and I can do neither in my case.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-java-encoder/issues/38#issuecomment-724193823, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PGZM6Y7IYNVYPRZDNRTSPAYLDANCNFSM4QNOVEZA .
DOMPurify is client-side, primarily.
-- Jim Manico @Manicode
On Nov 9, 2020, at 8:30 AM, Venky Soorisetty notifications@github.com wrote:
I wanted to do something on the server side, which is Java in my case. I was exploring DOMPurify but I will either have to do on an intermediate NodeJS server or on the front-end, and I can do neither in my case.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
Thanks for your support. I needed to do this server side, I ended up using owasp-html-sanitizer
as suggested.
Hi
I'm trying to exclude a few HTML tags from getting encoded through
Encode.forHtml()
. If I understand correctly, the encoder encodes all HTML tags within HTML contexts. Can you please help me understand if I can configure the encoder to exclude a list of HTML tags?