private static String sanitize(@Nullable String html) { StringBuilder sb = new StringBuilder(); HtmlStreamRenderer renderer = HtmlStreamRenderer.create( sb, new Handler<String>() { public void handle(String errorMessage) { fail(errorMessage); } }); HtmlSanitizer.Policy policy = new HtmlPolicyBuilder() // Allow these tags. .allowElements( "a", "b", "br", "div", "i", "iframe", "img", "input", "li", "ol", "p", "span", "ul", "noscript", "noframes", "noembed", "noxss") // And these attributes. .allowAttributes("dir", "checked", "class", "href", "id", "target", "title", "type") .globally() // Cleanup IDs and CLASSes and prefix them with p- to move to a separate // name-space. .allowAttributes("id", "class") .matching( new AttributePolicy() { public String apply(String elementName, String attributeName, String value) { return value .replaceAll("(?:^|\\s)([a-zA-Z])", " p-$1") .replaceAll("\\s+", " ") .trim(); } }) .globally() .allowStyling() // Don't throw out useless <img> and <input> elements to ease debugging. .allowWithoutAttributes("img", "input") .build(renderer); HtmlSanitizer.sanitize(html, policy); return sb.toString(); }
/** * A convenience function that sanitizes a string of HTML and reports the names of rejected * element and attributes to listener. * * @param html the string of HTML to sanitize. * @param listener if non-null, receives notifications of tags and attributes that were rejected * by the policy. This may tie into intrusion detection systems. * @param context if {@code (listener != null)} then the context value passed with notifications. * This can be used to let the listener know from which connection or request the questionable * HTML was received. * @return a string of HTML that complies with this factory's policy. */ public <CTX> String sanitize( @Nullable String html, @Nullable HtmlChangeListener<CTX> listener, @Nullable CTX context) { if (html == null) { return ""; } StringBuilder out = new StringBuilder(html.length()); HtmlSanitizer.sanitize( html, apply(HtmlStreamRenderer.create(out, Handler.DO_NOTHING), listener, context)); return out.toString(); }