How to implement a possibility for user to post some html-formatted data in a safe way?

Question

I have a textarea and I want to support some simplest formatting for posted data (at least, whitespaces and line breaks).

How can I achieve this? If I w

Answer 1

Use a HTML parser which supports HTML filtering against a whitelist like Jsoup. Here's an extract of relevance from its site.

Sanitize untrusted HTML

Problem

You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission). You need to clean this HTML to avoid cross-site scripting (XSS) attacks.

Solution

Use the jsoup HTML Cleaner with a configuration specified by a Whitelist.

String unsafe = 
      "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
      // now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>

And then to display it with whitespace preserved, apply CSS white-space: pre-wrap; on the HTML element where you're displaying it.

No all-in-one JSF component comes to mind.

Answer 2

Is there some reason why you need to accept HTML instead of some other markup language, such as markdown (which is what StackOverflow uses)?

http://daringfireball.net/projects/markdown/

Not sure what kind of tags you'd want to accept that wouldn't be covered by md or a similar formatting language...