Package com.liferay.portal.kernel.util
Class HtmlUtil
Object
com.liferay.portal.kernel.util.HtmlUtil
Provides utility methods for escaping, replacing, and stripping
HTML text. This class uses XSS recommendations from http://www.owasp.org/index.php/Cross_Site_Scripting#How_to_Protect_Yourself
when escaping HTML text.
- Author:
- Brian Wing Shun Chan, Clarence Shen, Harry Mark, Samuel Kong, Connor McKay, Shuyang Zhou
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionstatic String
Generates a string with the data-* attributes generated from the keys and values of a map.static String
Escapes the text so that it is safe to use in an HTML context.static String
escapeAttribute
(String attribute) Escapes the attribute value so that it is safe to use as an attribute value.static String
Escapes the CSS value so that it is safe to use in a CSS context.static String
escapeHREF
(String href) Escapes the HREF attribute so that it is safe to use as an HREF attribute.static String
Escapes the JavaScript value so that it is safe to use in a JavaScript context.static String
escapeJSLink
(String link) static String
Escapes the URL value so that it is safe to use as a URL.static String
escapeXPath
(String xPath) static String
escapeXPathAttribute
(String xPathAttribute) static String
fromInputSafe
(String text) static String
getAUICompatibleId
(String html) static String
replaceNewLine
(String html) Replaces all new lines or carriage returns with the
HTML tag.static String
stripBetween
(String text, String tag) Strips all content delimited by the tag out of the text.static String
stripComments
(String text) Strips all XML comments out of the text.static String
static String
toInputSafe
(String text) Encodes the text so that it's safe to use as an HTML input field value.static String
static String
unescapeCDATA
(String text) static String
-
Constructor Details
-
HtmlUtil
public HtmlUtil()
-
-
Method Details
-
buildData
Generates a string with the data-* attributes generated from the keys and values of a map. For example, a map containing{key1=value1;key2=value2}
is returned as the stringdata-key1=value1 data-key2=value2
.- Parameters:
data
- the map of values to convert to data-* attributes- Returns:
- a string with the data attributes, or
null
if the map isnull
-
escape
Escapes the text so that it is safe to use in an HTML context.- Parameters:
text
- the text to escape- Returns:
- the escaped HTML text, or
null
if the text isnull
-
escapeAttribute
Escapes the attribute value so that it is safe to use as an attribute value.- Parameters:
attribute
- the attribute to escape- Returns:
- the escaped attribute value, or
null
if the attribute value isnull
-
escapeCSS
Escapes the CSS value so that it is safe to use in a CSS context.- Parameters:
css
- the CSS value to escape- Returns:
- the escaped CSS value, or
null
if the CSS value isnull
-
escapeHREF
Escapes the HREF attribute so that it is safe to use as an HREF attribute.- Parameters:
href
- the HREF attribute to escape- Returns:
- the escaped HREF attribute, or
null
if the HREF attribute isnull
-
escapeJS
Escapes the JavaScript value so that it is safe to use in a JavaScript context.- Parameters:
js
- the JavaScript value to escape- Returns:
- the escaped JavaScript value, or
null
if the JavaScript value isnull
-
escapeJSLink
-
escapeURL
Escapes the URL value so that it is safe to use as a URL.- Parameters:
url
- the URL value to escape- Returns:
- the escaped URL value, or
null
if the URL value isnull
-
escapeXPath
-
escapeXPathAttribute
-
fromInputSafe
-
getAUICompatibleId
-
replaceNewLine
Replaces all new lines or carriage returns with the
HTML tag.- Parameters:
html
- the text- Returns:
- the converted text, or
null
if the HTML text isnull
-
stripBetween
Strips all content delimited by the tag out of the text.If the tag appears multiple times, all occurrences (including the tag) are stripped. The tag may have attributes. In order for this method to recognize the tag, it must consist of a separate opening and closing tag. Self-closing tags remain in the result.
- Parameters:
text
- the texttag
- the tag used for delimiting, which should only be the tag's name (e.g. no <)- Returns:
- the text, without the stripped tag and its contents, or
null
if the text isnull
-
stripComments
Strips all XML comments out of the text.- Parameters:
text
- the text- Returns:
- the text, without the stripped XML comments, or
null
if the text isnull
-
stripHtml
-
toInputSafe
Encodes the text so that it's safe to use as an HTML input field value.For example, the
&
character is replaced by&
.- Parameters:
text
- the text- Returns:
- the encoded text that is safe to use as an HTML input field
value, or
null
if the text isnull
-
unescape
-
unescapeCDATA
-
wordBreak
-