Package com.liferay.portal.kernel.util
Class HtmlUtil
Object
com.liferay.portal.kernel.util.HtmlUtil
Provides utility methods for escaping, replacing, and stripping
HTML text. This class uses XSS recommendations from http://www.owasp.org/index.php/Cross_Site_Scripting#How_to_Protect_Yourself
when escaping HTML text.
- Author:
- Brian Wing Shun Chan, Clarence Shen, Harry Mark, Samuel Kong, Connor McKay, Shuyang Zhou
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionstatic StringGenerates a string with the data-* attributes generated from the keys and values of a map.static StringEscapes the text so that it is safe to use in an HTML context.static StringescapeAttribute(String attribute) Escapes the attribute value so that it is safe to use as an attribute value.static StringEscapes the CSS value so that it is safe to use in a CSS context.static StringescapeHREF(String href) Escapes the HREF attribute so that it is safe to use as an HREF attribute.static StringEscapes the JavaScript value so that it is safe to use in a JavaScript context.static StringescapeJSLink(String link) static StringEscapes the URL value so that it is safe to use as a URL.static StringescapeXPath(String xPath) static StringescapeXPathAttribute(String xPathAttribute) static StringfromInputSafe(String text) static StringgetAUICompatibleId(String html) static StringreplaceNewLine(String html) Replaces all new lines or carriage returns with theHTML tag.static StringstripBetween(String text, String tag) Strips all content delimited by the tag out of the text.static StringstripComments(String text) Strips all XML comments out of the text.static Stringstatic StringtoInputSafe(String text) Encodes the text so that it's safe to use as an HTML input field value.static Stringstatic StringunescapeCDATA(String text) static String
-
Constructor Details
-
HtmlUtil
public HtmlUtil()
-
-
Method Details
-
buildData
Generates a string with the data-* attributes generated from the keys and values of a map. For example, a map containing{key1=value1;key2=value2}is returned as the stringdata-key1=value1 data-key2=value2.- Parameters:
data- the map of values to convert to data-* attributes- Returns:
- a string with the data attributes, or
nullif the map isnull
-
escape
Escapes the text so that it is safe to use in an HTML context.- Parameters:
text- the text to escape- Returns:
- the escaped HTML text, or
nullif the text isnull
-
escapeAttribute
Escapes the attribute value so that it is safe to use as an attribute value.- Parameters:
attribute- the attribute to escape- Returns:
- the escaped attribute value, or
nullif the attribute value isnull
-
escapeCSS
Escapes the CSS value so that it is safe to use in a CSS context.- Parameters:
css- the CSS value to escape- Returns:
- the escaped CSS value, or
nullif the CSS value isnull
-
escapeHREF
Escapes the HREF attribute so that it is safe to use as an HREF attribute.- Parameters:
href- the HREF attribute to escape- Returns:
- the escaped HREF attribute, or
nullif the HREF attribute isnull
-
escapeJS
Escapes the JavaScript value so that it is safe to use in a JavaScript context.- Parameters:
js- the JavaScript value to escape- Returns:
- the escaped JavaScript value, or
nullif the JavaScript value isnull
-
escapeJSLink
-
escapeURL
Escapes the URL value so that it is safe to use as a URL.- Parameters:
url- the URL value to escape- Returns:
- the escaped URL value, or
nullif the URL value isnull
-
escapeXPath
-
escapeXPathAttribute
-
fromInputSafe
-
getAUICompatibleId
-
replaceNewLine
Replaces all new lines or carriage returns with theHTML tag.- Parameters:
html- the text- Returns:
- the converted text, or
nullif the HTML text isnull
-
stripBetween
Strips all content delimited by the tag out of the text.If the tag appears multiple times, all occurrences (including the tag) are stripped. The tag may have attributes. In order for this method to recognize the tag, it must consist of a separate opening and closing tag. Self-closing tags remain in the result.
- Parameters:
text- the texttag- the tag used for delimiting, which should only be the tag's name (e.g. no <)- Returns:
- the text, without the stripped tag and its contents, or
nullif the text isnull
-
stripComments
Strips all XML comments out of the text.- Parameters:
text- the text- Returns:
- the text, without the stripped XML comments, or
nullif the text isnull
-
stripHtml
-
toInputSafe
Encodes the text so that it's safe to use as an HTML input field value.For example, the
&character is replaced by&.- Parameters:
text- the text- Returns:
- the encoded text that is safe to use as an HTML input field
value, or
nullif the text isnull
-
unescape
-
unescapeCDATA
-
wordBreak
-