Hi, Check https://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer
Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Thu, Feb 9, 2017 at 12:50 PM, daniel simko <dan.si...@gmail.com> wrote: > Hello, > > I would like to ask you whether there is some safe way how to display html > output from some rich editor (e.g. TinyMCE)? In order to display html it is > necessary to switch off model escaping [1] which is opening a door for XSS. > I was thinking about some converter [2] which would escape only JS related > stuff (e.g. <script>, onclick, ...) but I didn't find any escaping method > which works this way. > > Thank you, > Dan > > [1] > https://github.com/wicketstuff/core/blob/master/tinymce4-parent/tinymce4- > examples/src/main/java/wicket/contrib/examples/tinymce/ > InlineTinyMCEPage.java#L24 > [2] https://gist.github.com/dsimko/2cd931444ba93a1c841e2d3f4fed0db8 >
