asked on
Is it possible to "sandbox" html content within a JSP?
I am trying to create a tool within my Spring MVC webapp where the JSP page takes in text from a user from a textbox, then displays the user text below the textbox with every non-UTF8 decode-able character highlighted in yellow (by taking in the user text as a string, and wrapping every non-UTF8 character with <span style='background:yellow'>
<TABLE...>
........
<TR>
<TD valign="top">
<div>${form.userDataHighli
</TD>
</TR>
</TABLE>
The problem is that the user may enter html content with CSS styling as such:
<html>
<head>
<meta http-equiv=Content-Type content="text/plain; charset=utf-8">
<title></title>
<style>
(some user defined styling)
......
</style>
</head>
<body>
....
</body>
</html>
and this can affect the styling of the main webpage (for example, change the background color of the main webpage).
Is there a way I can "sandbox" the user text within the JSP so that it cannot affect the main JSP styling (such as display it in some kind of frame)? I have tried something like:
<table border="1">
<tr>
<td style="width:500px;height:
<iframe srcdoc=${form.userDataHigh
</td>
</tr>
</table>
and also:
<jsp:include.......>
but in both cases, the background color of the main page is still affected. Is there a way I can display the user's text with the non-UTF8 characters highlighted without allowing the user content to affect the styling of the main page?
<TABLE...>
........
<TR>
<TD valign="top">
<div>${form.userDataHighli
</TD>
</TR>
</TABLE>
The problem is that the user may enter html content with CSS styling as such:
<html>
<head>
<meta http-equiv=Content-Type content="text/plain; charset=utf-8">
<title></title>
<style>
(some user defined styling)
......
</style>
</head>
<body>
....
</body>
</html>
and this can affect the styling of the main webpage (for example, change the background color of the main webpage).
Is there a way I can "sandbox" the user text within the JSP so that it cannot affect the main JSP styling (such as display it in some kind of frame)? I have tried something like:
<table border="1">
<tr>
<td style="width:500px;height:
<iframe srcdoc=${form.userDataHigh
</td>
</tr>
</table>
and also:
<jsp:include.......>
but in both cases, the background color of the main page is still affected. Is there a way I can display the user's text with the non-UTF8 characters highlighted without allowing the user content to affect the styling of the main page?
JSPCSSJavaJavaScriptHTML
Last Comment
mccarl