com.liferay.portal.kernel.util

Class HtmlUtil

Object

com.liferay.portal.kernel.util.HtmlUtil

public class HtmlUtil
extends Object

Provides utility methods for escaping, rendering, replacing, and stripping HTML text. This class uses XSS recommendations from http://www.owasp.org/index.php/Cross_Site_Scripting#How_to_Protect_Yourself when escaping HTML text.

Author:

Brian Wing Shun Chan, Clarence Shen, Harry Mark, Samuel Kong

Constructor Summary

Constructors

Constructor and Description
HtmlUtil()

Method Summary

Modifier and Type	Method and Description
static String	buildData(Map<String,Object> data)
static String	escape(String text) Escapes the text so that it is safe to use in an HTML context.
static String	escape(String text, int mode) Escapes the input text as a hexadecimal value, based on the mode (type).
static String	escapeAttribute(String attribute) Escapes the attribute value so that it is safe to use as an attribute value.
static String	escapeCSS(String css) Escapes the CSS value so that it is safe to use in a CSS context.
static String	escapeHREF(String href) Escapes the HREF attribute so that it is safe to use as an HREF attribute.
static String	escapeJS(String js) Escapes the JavaScript value so that it is safe to use in a JavaScript context.
static String	escapeJSLink(String link)
static String	escapeURL(String url) Escapes the URL value so that it is safe to use as a URL.
static String	escapeXPath(String xPath)
static String	escapeXPathAttribute(String xPathAttribute)
static String	extractText(String html) Extracts the raw text from the HTML input, compressing its whitespace and removing all attributes, scripts, and styles.
static String	fromInputSafe(String text)
static String	getAUICompatibleId(String html)
static Html	getHtml()
static String	render(String html) Renders the HTML content into text.
static String	replaceMsWordCharacters(String text) Deprecated. As of Wilberforce (7.0.x), with no direct replacement
static String	replaceNewLine(String html) Replaces all new lines or carriage returns with the HTML tag.
void	setHtml(Html html)
static String	stripBetween(String text, String tag) Strips all content delimited by the tag out of the text.
static String	stripComments(String text) Strips all XML comments out of the text.
static String	stripHtml(String text)
static String	toInputSafe(String text) Encodes the text so that it's safe to use as an HTML input field value.
static String	unescape(String text)
static String	unescapeCDATA(String text)
static String	wordBreak(String text, int columns)

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

HtmlUtil

public HtmlUtil()

Method Detail

buildData

public static String buildData(Map<String,Object> data)

escape

public static String escape(String text)

Escapes the text so that it is safe to use in an HTML context.

Parameters:

text - the text to escape

Returns:

the escaped HTML text, or null if the text is null

escape

public static String escape(String text,
                            int mode)

Escapes the input text as a hexadecimal value, based on the mode (type).

Parameters:

text - the text to escape

mode - the encoding type

Returns:

the escaped hexadecimal value of the input text, based on the mode, or null if the text is null

See Also:

HtmlImpl.escape(String, int)

escapeAttribute

public static String escapeAttribute(String attribute)

Escapes the attribute value so that it is safe to use as an attribute value.

Parameters:

attribute - the attribute to escape

Returns:

the escaped attribute value, or null if the attribute value is null

escapeCSS

public static String escapeCSS(String css)

Escapes the CSS value so that it is safe to use in a CSS context.

Parameters:

css - the CSS value to escape

Returns:

the escaped CSS value, or null if the CSS value is null

escapeHREF

public static String escapeHREF(String href)

Escapes the HREF attribute so that it is safe to use as an HREF attribute.

Parameters:

href - the HREF attribute to escape

Returns:

the escaped HREF attribute, or null if the HREF attribute is null

escapeJS

public static String escapeJS(String js)

Escapes the JavaScript value so that it is safe to use in a JavaScript context.

Parameters:

js - the JavaScript value to escape

Returns:

the escaped JavaScript value, or null if the JavaScript value is null

escapeJSLink

public static String escapeJSLink(String link)

escapeURL

public static String escapeURL(String url)

Escapes the URL value so that it is safe to use as a URL.

Parameters:

url - the URL value to escape

Returns:

the escaped URL value, or null if the URL value is null

escapeXPath

public static String escapeXPath(String xPath)

escapeXPathAttribute

public static String escapeXPathAttribute(String xPathAttribute)

extractText

public static String extractText(String html)

Extracts the raw text from the HTML input, compressing its whitespace and removing all attributes, scripts, and styles.

For example, raw text returned by this method can be stored in a search index.

Parameters:

html - the HTML text

Returns:

the raw text from the HTML input, or null if the HTML input is null

fromInputSafe

public static String fromInputSafe(String text)

getAUICompatibleId

public static String getAUICompatibleId(String html)

getHtml

public static Html getHtml()

render

public static String render(String html)

Renders the HTML content into text. This provides a human readable version of the segment content that is modeled on the way Mozilla Thunderbird® and other email clients provide an automatic conversion of HTML content to text in their alternative MIME encoding of emails.

Using the default settings, the output complies with the Text/Plain; Format=Flowed (DelSp=No) protocol described in RFC-3676.

Parameters:

html - the HTML text

Returns:

the rendered HTML text, or null if the HTML text is null

replaceMsWordCharacters

@Deprecated
public static String replaceMsWordCharacters(String text)

Deprecated. As of Wilberforce (7.0.x), with no direct replacement

Replaces all Microsoft® Word Unicode characters with plain HTML entities or characters.

Parameters:

text - the text

Returns:

the converted text, or null if the text is null

replaceNewLine

public static String replaceNewLine(String html)

Replaces all new lines or carriage returns with the
HTML tag.

Parameters:

html - the text

Returns:

the converted text, or null if the HTML text is null

stripBetween

public static String stripBetween(String text,
                                  String tag)

Strips all content delimited by the tag out of the text.

If the tag appears multiple times, all occurrences (including the tag) are stripped. The tag may have attributes. In order for this method to recognize the tag, it must consist of a separate opening and closing tag. Self-closing tags remain in the result.

Parameters:

text - the text

tag - the tag used for delimiting, which should only be the tag's name (e.g. no <)

Returns:

the text, without the stripped tag and its contents, or null if the text is null

stripComments

public static String stripComments(String text)

Strips all XML comments out of the text.

Parameters:

text - the text

Returns:

the text, without the stripped XML comments, or null if the text is null

stripHtml

public static String stripHtml(String text)

toInputSafe

public static String toInputSafe(String text)

Encodes the text so that it's safe to use as an HTML input field value.

For example, the & character is replaced by &.

Parameters:

text - the text

Returns:

the encoded text that is safe to use as an HTML input field value, or null if the text is null

unescape

public static String unescape(String text)

unescapeCDATA

public static String unescapeCDATA(String text)

wordBreak

public static String wordBreak(String text,
                               int columns)

setHtml

public void setHtml(Html html)