Wednesday, April 2, 2014

Which solution is the right way to sanitize URL for <img> & <a href> tag in GWT?

I am googling how to sanitize URL in GWT & found too many different ways to do it. I am quite confused & I couldn't make the decision.

So, suppose you have a textbox that allows user to enter html url & then you can wrap that url string inside or tag before insert it into DB. There is a table that have a column to store html code, like the following:

<a href=\"...\">AA</a>  <img src=\"http://xxxx\">  //more html rows  here

so suppose user enter http://car.com/pic.gif, and then after user clicks Submit button, I want to it to store in myDB as following:

<img src=\"http://car.com/pic.gif\">

But users can input anything so we have to make sure the url input are safe. So here is some options:

-Option1: 

String str="http://car.com/pic.gif";  if(!UriUtils.isSafeUri(str)){     String safeStrURI=UriUtils.sanitizeUri("<img src="+str+"><br/>");     storeUrl(safeStrURI);// store html string into DB  }

-Option2:

    String str="http://car.com/pic.gif";      SafeHtmlBuilder builder = new SafeHtmlBuilder();      builder.appendHtmlConstant("<img src=");      builder.appendEscaped(str);      builder.appendHtmlConstant("><br/>");      String safeStrURI=builder.toString();      storeUrl(safeStrURI);// store html string into DB

-Option3:

String str="http://car.com/pic.gif";  String safeStrURI="<img src="+UriUtils.fromString(str).asString()+"><br/>";  storeUrl(safeStrURI);// store html string into DB

/..... there are some more solutions but i don't know

I don't understand why Google don't just make 1 or 2 methods for achive this, why there are so many ways to do that made me very confused.

So, which option is good for solving my problem.

Or do you know other option?

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)