Thursday, March 31, 2011

RichTextArea, SafeHtml, and general rich text best practices

I just converted one of our simple TextArea's into a RichTextArea
(using the RichTextToolbar from the Showcase). I'm not quite sure I
understand the best practices for using RichTextArea with SafeHtml.

GWT's has the methods:

void setHTML(SafeHtml)
String getHTML()

Let's say I'm writing an app which let's the user:

1) Create new posts
2) Edit posts
3) Display posts

1) Create new posts

a) First, they create a post by typing in the RichTextArea using the
various formatting buttons available in the toolbar.

b) This post needs to be persisted somewhere (a database or
whatever). Is it necessary to "sanitize" the user input at this
point????? I assume it's not necessary. So we simply call
RichTextArea.getHTML() and persist this raw string containing
<span>'s, <b>'s etc.

2) Edit posts
To edit the posts, we take the raw HTML the user previously entered
that was persisted somewhere, and call
RichTextArea.setHTML(SafeHtml). Right? The problem is we cannot
generate SafeHtml that does not escape even the basic HTML outputted
previously from the RichTextArea. For instance, RichTextArea
generates <span>'s for most of the content. SafeHtmlUtils and
SimpleHtmlSanitizer will escape this tag. I'm assuming using
RichTextArea.setHTML(String) is a bad practice, so I'm looking for the
proper way to do this.

3) Display posts
Displaying posts is similar to editing them, but with the added
problem that unless they're displayed in an iframe (or another
RichTextArea), the post will look different than what the user
inputted (since it inherits styles from the rest of the page).

Can someone explain the best practices for using RichTextArea? I'm
not really knowledgeable in this area. I'm starting to think that web
applications actually do not store HTML at all for posts/discussions.
They'll use some other markup like bbcode, markdown, wikipedia style,
etc. If that's the case, why do all the rich text widgets (CKEditor,
tinymce, GXT RTE, GWT RichTextArea output HTML instead of some other
"safe" format?

... like RichTextArea.setRichText(RichText text) and

Hopefully someone can help explain this to me.


You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

No comments:

Post a Comment