I see in the API that it's possible but I can't figure out how to use that sanitize() method. There's even a forum post where someone says to use it but they don't explain how. In essence I have no idea what CTX means in that method signature. If someone can provide sample code of how to get a list of items that were sanitized that would be appreciated.
1 Answer
You need to setup the HtmlChangeListener to catch all elements that are sanitized. The code then looks something like:
List<String> results = new ArrayList<String>();
HtmlChangeListener<List<String>> htmlChangeListener = new HtmlChangeListener<>()
{
@Override
public void discardedTag(List<String> context, String elementName)
{
context.add(elementName);
}
@Override
public void discardedAttributes(List<String> context, String tagName, String... attributeNames)
{
context.add(tagName);
}
};
String sanitizedHtml = POLICY_DEFINITION.sanitize(rawHtml, htmlChangeListener, results);
System.out.println("Sanitized elements include: " + String.join(",", results));
2 Comments
codebusta
It should be StringUtils.join()
firstpostcommenter
So this can be the indirect way to validate input right? Because the library doesn’t provide it github.com/OWASP/java-html-sanitizer/blob/main/docs/…
CTXis a generic type in the method.CTXmeans in that method signature.", now you say "I understand that". Which is it?