Thank you Martin! This is exactly what I was looking for. 2017-02-09 13:03 GMT+01:00 Martin Grigorov <mgrigo...@apache.org>:
> Hi, > > Check https://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Thu, Feb 9, 2017 at 12:50 PM, daniel simko <dan.si...@gmail.com> wrote: > > > Hello, > > > > I would like to ask you whether there is some safe way how to display > html > > output from some rich editor (e.g. TinyMCE)? In order to display html it > is > > necessary to switch off model escaping [1] which is opening a door for > XSS. > > I was thinking about some converter [2] which would escape only JS > related > > stuff (e.g. <script>, onclick, ...) but I didn't find any escaping > method > > which works this way. > > > > Thank you, > > Dan > > > > [1] > > https://github.com/wicketstuff/core/blob/master/ > tinymce4-parent/tinymce4- > > examples/src/main/java/wicket/contrib/examples/tinymce/ > > InlineTinyMCEPage.java#L24 > > [2] https://gist.github.com/dsimko/2cd931444ba93a1c841e2d3f4fed0db8 > > >