I am working with JSF. I have used RichFaces's 'RichEditor'. I am storing contents from this editor into a bean and displaying into a JSF form. But it shows HTML tags on the JSF form. For开发者_Go百科 that I have used JSoup HTML Parser. But it completely converts the written content of the rich editor to simple text, removing all formatting like bold, buttons used, newline, etc. I need to display as it is in the jSF form as the editor.
Please help...
CODE for Rich Editor
<f:param name="theme_advanced_buttons1" value="
newdocument,separator,copy,cut,paste,pasteword,undo,redo,separator,bold,italic,underline,
strikethrough,forecolor,backcolor,separator,
justifyleft,justifycenter,justifyright,justifyfull,outdent,indent " />
<f:param name="theme_advanced_buttons2" value= "bullist,numlist,separator,
insertdate,inserttime,separator,image,emotions,styleprops,fontselect,fontsizeselect,formatselect,search,replace"/>
<f:param name="theme_advanced_toolbar_location" value="top"/>
<f:param name="theme_advanced_toolbar_align" value="left"/>
<f:param name="theme_advanced_font_sizes" value="10px,12px,14px,16px,18px,20px,24px,32px,36px,42px,48px,60px,72px"/>
<f:param name="theme_advanced_fonts" value="Andale Mono=andale mono,times;
Arial=arial,helvetica,sans-serif;
Arial Black=arial black,avant garde;
Book Antiqua=book antiqua,palatino;
Calibri=calibri;
Comic Sans MS=comic sans ms,sans-serif;
Courier New=courier new,courier;
Georgia=georgia,palatino;
Helvetica=helvetica;
Impact=impact,chicago;
Symbol=symbol;
Tahoma=tahoma,arial,helvetica,sans-serif;
Terminal=terminal,monaco;
Times New Roman=times new roman,times;
Trebuchet MS=trebuchet ms,geneva;
Verdana=verdana,geneva;
Webdings=webdings;
Wingdings=wingdings,zapf dingbats"/>
</rich:editor>
FROM Java....
public String saveNotice() {
System.out.println(html2text(editor));
return "";
}
public String html2text(String editor)
{
String edit;
edit=Jsoup.parse(editor).text();
setEditor(edit);
return edit;
}
When you're redisplaying it using <h:outputText>
, JSF will escape them in order to prevent XSS attacks. You need to add escape="false"
to redisplay the HTML plain (which thus get interpreted by the webbrowser).
<h:outputText value="#{bean.html}" escape="false" />
However, this is still a potential XSS hole. Since you're already using Jsoup, you can use Jsoup#clean()
to preserve some basic HTML tags and remove all other malicious tags.
public String sanitizeHtml(String html) {
return Jsoup.clean(unsafe, Whitelist.basic());
}
The Whitelist
is customizeable. See also its javadoc for details.
in your source the open tag of rich editor is missing. According editors homepage try to add the viewMode parameter. I think the value of it must be 'visual'.
精彩评论