Class HtmlUtil

Object
com.liferay.portal.kernel.util.HtmlUtil

public class HtmlUtil extends Object
Provides utility methods for escaping, replacing, and stripping HTML text. This class uses XSS recommendations from http://www.owasp.org/index.php/Cross_Site_Scripting#How_to_Protect_Yourself when escaping HTML text.
Author:
Brian Wing Shun Chan, Clarence Shen, Harry Mark, Samuel Kong, Connor McKay, Shuyang Zhou
  • Constructor Details

    • HtmlUtil

      public HtmlUtil()
  • Method Details

    • buildData

      public static String buildData(Map<String,Object> data)
      Generates a string with the data-* attributes generated from the keys and values of a map. For example, a map containing {key1=value1;key2=value2} is returned as the string data-key1=value1 data-key2=value2.
      Parameters:
      data - the map of values to convert to data-* attributes
      Returns:
      a string with the data attributes, or null if the map is null
    • escape

      public static String escape(String text)
      Escapes the text so that it is safe to use in an HTML context.
      Parameters:
      text - the text to escape
      Returns:
      the escaped HTML text, or null if the text is null
    • escapeAttribute

      public static String escapeAttribute(String attribute)
      Escapes the attribute value so that it is safe to use as an attribute value.
      Parameters:
      attribute - the attribute to escape
      Returns:
      the escaped attribute value, or null if the attribute value is null
    • escapeCSS

      public static String escapeCSS(String css)
      Escapes the CSS value so that it is safe to use in a CSS context.
      Parameters:
      css - the CSS value to escape
      Returns:
      the escaped CSS value, or null if the CSS value is null
    • escapeHREF

      public static String escapeHREF(String href)
      Escapes the HREF attribute so that it is safe to use as an HREF attribute.
      Parameters:
      href - the HREF attribute to escape
      Returns:
      the escaped HREF attribute, or null if the HREF attribute is null
    • escapeJS

      public static String escapeJS(String js)
      Escapes the JavaScript value so that it is safe to use in a JavaScript context.
      Parameters:
      js - the JavaScript value to escape
      Returns:
      the escaped JavaScript value, or null if the JavaScript value is null
    • escapeJSLink

      public static String escapeJSLink(String link)
    • escapeURL

      public static String escapeURL(String url)
      Escapes the URL value so that it is safe to use as a URL.
      Parameters:
      url - the URL value to escape
      Returns:
      the escaped URL value, or null if the URL value is null
    • escapeXPath

      public static String escapeXPath(String xPath)
    • escapeXPathAttribute

      public static String escapeXPathAttribute(String xPathAttribute)
    • fromInputSafe

      public static String fromInputSafe(String text)
    • getAUICompatibleId

      public static String getAUICompatibleId(String html)
    • replaceNewLine

      public static String replaceNewLine(String html)
      Replaces all new lines or carriage returns with the
      HTML tag.
      Parameters:
      html - the text
      Returns:
      the converted text, or null if the HTML text is null
    • stripBetween

      public static String stripBetween(String text, String tag)
      Strips all content delimited by the tag out of the text.

      If the tag appears multiple times, all occurrences (including the tag) are stripped. The tag may have attributes. In order for this method to recognize the tag, it must consist of a separate opening and closing tag. Self-closing tags remain in the result.

      Parameters:
      text - the text
      tag - the tag used for delimiting, which should only be the tag's name (e.g. no <)
      Returns:
      the text, without the stripped tag and its contents, or null if the text is null
    • stripComments

      public static String stripComments(String text)
      Strips all XML comments out of the text.
      Parameters:
      text - the text
      Returns:
      the text, without the stripped XML comments, or null if the text is null
    • stripHtml

      public static String stripHtml(String text)
    • toInputSafe

      public static String toInputSafe(String text)
      Encodes the text so that it's safe to use as an HTML input field value.

      For example, the & character is replaced by &amp;.

      Parameters:
      text - the text
      Returns:
      the encoded text that is safe to use as an HTML input field value, or null if the text is null
    • unescape

      public static String unescape(String text)
    • unescapeCDATA

      public static String unescapeCDATA(String text)
    • wordBreak

      public static String wordBreak(String text, int columns)