com.liferay.portal.kernel.util

Class HtmlUtil

java.lang.Object

com.liferay.portal.kernel.util.HtmlUtil

public class HtmlUtil
extends java.lang.Object

Provides utility methods for escaping, rendering, replacing, and stripping HTML text. This class uses XSS recommendations from http://www.owasp.org/index.php/Cross_Site_Scripting#How_to_Protect_Yourself when escaping HTML text.

Author:

Brian Wing Shun Chan, Clarence Shen, Harry Mark, Samuel Kong

Constructor Summary

Constructors

Constructor and Description
HtmlUtil()

Method Summary

Modifier and Type	Method and Description
static java.lang.String	buildData(java.util.Map<java.lang.String,java.lang.Object> data)
static java.lang.String	escape(java.lang.String text) Escapes the text so that it is safe to use in an HTML context.
static java.lang.String	escape(java.lang.String text, int mode) Escapes the input text as a hexadecimal value, based on the mode (type).
static java.lang.String	escapeAttribute(java.lang.String attribute) Escapes the attribute value so that it is safe to use as an attribute value.
static java.lang.String	escapeCSS(java.lang.String css) Escapes the CSS value so that it is safe to use in a CSS context.
static java.lang.String	escapeHREF(java.lang.String href) Escapes the HREF attribute so that it is safe to use as an HREF attribute.
static java.lang.String	escapeJS(java.lang.String js) Escapes the JavaScript value so that it is safe to use in a JavaScript context.
static java.lang.String	escapeJSLink(java.lang.String link)
static java.lang.String	escapeURL(java.lang.String url) Escapes the URL value so that it is safe to use as a URL.
static java.lang.String	escapeXPath(java.lang.String xPath)
static java.lang.String	escapeXPathAttribute(java.lang.String xPathAttribute)
static java.lang.String	extractText(java.lang.String html) Extracts the raw text from the HTML input, compressing its whitespace and removing all attributes, scripts, and styles.
static java.lang.String	fromInputSafe(java.lang.String text)
static java.lang.String	getAUICompatibleId(java.lang.String html)
static Html	getHtml()
static java.lang.String	render(java.lang.String html) Renders the HTML content into text.
static java.lang.String	replaceMsWordCharacters(java.lang.String text) Deprecated. As of Wilberforce (7.0.x), with no direct replacement
static java.lang.String	replaceNewLine(java.lang.String html) Replaces all new lines or carriage returns with the HTML tag.
void	setHtml(Html html)
static java.lang.String	stripBetween(java.lang.String text, java.lang.String tag) Strips all content delimited by the tag out of the text.
static java.lang.String	stripComments(java.lang.String text) Strips all XML comments out of the text.
static java.lang.String	stripHtml(java.lang.String text)
static java.lang.String	toInputSafe(java.lang.String text) Encodes the text so that it's safe to use as an HTML input field value.
static java.lang.String	unescape(java.lang.String text)
static java.lang.String	unescapeCDATA(java.lang.String text)
static java.lang.String	wordBreak(java.lang.String text, int columns)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

HtmlUtil

public HtmlUtil()

Method Detail

buildData

public static java.lang.String buildData(java.util.Map<java.lang.String,java.lang.Object> data)

escape

public static java.lang.String escape(java.lang.String text)

Escapes the text so that it is safe to use in an HTML context.

Parameters:

text - the text to escape

Returns:

the escaped HTML text, or null if the text is null

escape

public static java.lang.String escape(java.lang.String text,
                                      int mode)

Escapes the input text as a hexadecimal value, based on the mode (type).

Parameters:

text - the text to escape

mode - the encoding type

Returns:

the escaped hexadecimal value of the input text, based on the mode, or null if the text is null

See Also:

HtmlImpl.escape(String, int)

escapeAttribute

public static java.lang.String escapeAttribute(java.lang.String attribute)

Escapes the attribute value so that it is safe to use as an attribute value.

Parameters:

attribute - the attribute to escape

Returns:

the escaped attribute value, or null if the attribute value is null

escapeCSS

public static java.lang.String escapeCSS(java.lang.String css)

Escapes the CSS value so that it is safe to use in a CSS context.

Parameters:

css - the CSS value to escape

Returns:

the escaped CSS value, or null if the CSS value is null

escapeHREF

public static java.lang.String escapeHREF(java.lang.String href)

Escapes the HREF attribute so that it is safe to use as an HREF attribute.

Parameters:

href - the HREF attribute to escape

Returns:

the escaped HREF attribute, or null if the HREF attribute is null

escapeJS

public static java.lang.String escapeJS(java.lang.String js)

Escapes the JavaScript value so that it is safe to use in a JavaScript context.

Parameters:

js - the JavaScript value to escape

Returns:

the escaped JavaScript value, or null if the JavaScript value is null

escapeJSLink

public static java.lang.String escapeJSLink(java.lang.String link)

escapeURL

public static java.lang.String escapeURL(java.lang.String url)

Escapes the URL value so that it is safe to use as a URL.

Parameters:

url - the URL value to escape

Returns:

the escaped URL value, or null if the URL value is null

escapeXPath

public static java.lang.String escapeXPath(java.lang.String xPath)

escapeXPathAttribute

public static java.lang.String escapeXPathAttribute(java.lang.String xPathAttribute)

extractText

public static java.lang.String extractText(java.lang.String html)

Extracts the raw text from the HTML input, compressing its whitespace and removing all attributes, scripts, and styles.

For example, raw text returned by this method can be stored in a search index.

Parameters:

html - the HTML text

Returns:

the raw text from the HTML input, or null if the HTML input is null

fromInputSafe

public static java.lang.String fromInputSafe(java.lang.String text)

getAUICompatibleId

public static java.lang.String getAUICompatibleId(java.lang.String html)

getHtml

public static Html getHtml()

render

public static java.lang.String render(java.lang.String html)

Renders the HTML content into text. This provides a human readable version of the segment content that is modeled on the way Mozilla Thunderbird® and other email clients provide an automatic conversion of HTML content to text in their alternative MIME encoding of emails.

Using the default settings, the output complies with the Text/Plain; Format=Flowed (DelSp=No) protocol described in RFC-3676.

Parameters:

html - the HTML text

Returns:

the rendered HTML text, or null if the HTML text is null

replaceMsWordCharacters

@Deprecated
public static java.lang.String replaceMsWordCharacters(java.lang.String text)

Deprecated. As of Wilberforce (7.0.x), with no direct replacement

Replaces all Microsoft® Word Unicode characters with plain HTML entities or characters.

Parameters:

text - the text

Returns:

the converted text, or null if the text is null

replaceNewLine

public static java.lang.String replaceNewLine(java.lang.String html)

Replaces all new lines or carriage returns with the
HTML tag.

Parameters:

html - the text

Returns:

the converted text, or null if the HTML text is null

stripBetween

public static java.lang.String stripBetween(java.lang.String text,
                                            java.lang.String tag)

Strips all content delimited by the tag out of the text.

If the tag appears multiple times, all occurrences (including the tag) are stripped. The tag may have attributes. In order for this method to recognize the tag, it must consist of a separate opening and closing tag. Self-closing tags remain in the result.

Parameters:

text - the text

tag - the tag used for delimiting, which should only be the tag's name (e.g. no <)

Returns:

the text, without the stripped tag and its contents, or null if the text is null

stripComments

public static java.lang.String stripComments(java.lang.String text)

Strips all XML comments out of the text.

Parameters:

text - the text

Returns:

the text, without the stripped XML comments, or null if the text is null

stripHtml

public static java.lang.String stripHtml(java.lang.String text)

toInputSafe

public static java.lang.String toInputSafe(java.lang.String text)

Encodes the text so that it's safe to use as an HTML input field value.

For example, the & character is replaced by &.

Parameters:

text - the text

Returns:

the encoded text that is safe to use as an HTML input field value, or null if the text is null

unescape

public static java.lang.String unescape(java.lang.String text)

unescapeCDATA

public static java.lang.String unescapeCDATA(java.lang.String text)

wordBreak

public static java.lang.String wordBreak(java.lang.String text,
                                         int columns)

setHtml

public void setHtml(Html html)