The SanitizingConverter (pe:sanitizer) sanitizes any input using an OWASP Java HTML Sanitizer PolicyFactory.
Useful for cleansing input if going to be displayed in outputText with escape="false".
Source
<p:messages id="messages"/>
<h:panelGroup id="timePickerGroup" layout="block">
<p>
Enter text including HTML tags to see the default policy:
<p:inputText id="defaultSanitizer" value="#{sanitizingController.defaultSanitizer}">
<pe:sanitizer/>
</p:inputText>
</p>
<p>
Custom policy allows HTML tags including <i> and <strong>:
<p:inputText id="customSanitizer" value="#{sanitizingController.customSanitizer}">
<pe:sanitizer decodeHtml="true" policy="#{sanitizingController.policyFactory}"/>
</p:inputText>
</p>
</h:panelGroup>
<h:panelGroup layout="block" style="margin-top: 10px;margin-bottom: 10px;">
<p:commandButton value="Submit" update="messages defaultSanitizer customSanitizer"/>
</h:panelGroup>
@Named
@ViewScoped
public class SanitizingController implements Serializable {
private static final long serialVersionUID = 1L;
private String defaultSanitizer = "<p>Test</p>";
private String customSanitizer = "<p><i>Italic</i></p>";
/**
* PolicyFactory to allow certain HTML elements like italic and bold tags.
*
* @return the {@code PolicyFactory}
*/
public PolicyFactory getPolicyFactory() {
final String[] allowElements = new String[] {"b", "em", "i", "s", "strong", "sub", "sup", "u"};
return new HtmlPolicyBuilder()
.allowElements(allowElements)
.allowTextIn(allowElements)
.toFactory();
}
public String getDefaultSanitizer() {
return defaultSanitizer;
}
public void setDefaultSanitizer(String defaultSanitizer) {
this.defaultSanitizer = defaultSanitizer;
}
public String getCustomSanitizer() {
return customSanitizer;
}
public void setCustomSanitizer(String customSanitizer) {
this.customSanitizer = customSanitizer;
}
}