Using Constretto - finn-no/xss-html-filter GitHub Wiki
It's easy to keep all the configuration in constretto, passing it in via the HTMLFilter( Map ) constructor.
For example to load all configuration options:
import static ....ConstrettoConfigurationFactory.iniFile;
import static org.springframework.core.io.ResourceLoader.CLASSPATH_URL_PREFIX;
public static final Map<String,Object> CONFIGURATION
= Collections.unmodifiableMap(new HashMap<String,Object>(){{
final ConstrettoConfiguration constretto = iniFile(CLASSPATH_URL_PREFIX + "my-constretto-file.ini");
final Map<String, List<String>> allowed = new HashMap<String, List<String>>();
for(String allow : constretto.evaluateTo("HTMLFilter.vAllowed", "").split("\\s*;\\s*")){
if(0 < allow.indexOf(':')){
final String name = allow.split("\\s*:\\s*")[0];
final String[] attributes = allow.split("\\s*:\\s*")[1].split("\\s*,\\s*");
allowed.put(name, Arrays.asList(attributes));
}else{
allowed.put(allow, Collections.<String>emptyList());
}
}
put("vAllowed", allowed);
put("vSelfClosingTags", constretto.evaluateTo("HTMLFilter.vSelfClosingTags", "").split("\\s*,\\s*"));
put("vNeedClosingTags", constretto.evaluateTo("HTMLFilter.vNeedClosingTags", "").split("\\s*,\\s*"));
put("vDisallowed", constretto.evaluateTo("HTMLFilter.vDisallowed", "").split("\\s*,\\s*"));
put("vAllowedProtocols", constretto.evaluateTo("HTMLFilter.vAllowedProtocols", "").split("\\s*,\\s*"));
put("vProtocolAtts", constretto.evaluateTo("HTMLFilter.vProtocolAtts", "").split("\\s*,\\s*"));
put("vRemoveBlanks", constretto.evaluateTo("HTMLFilter.vRemoveBlanks", "").split("\\s*,\\s*"));
put("vAllowedEntities", constretto.evaluateTo("HTMLFilter.vAllowedEntities", "").split("\\s*,\\s*"));
put("stripComment", constretto.evaluateTo("HTMLFilter.stripComment", Boolean.TRUE));
put("alwaysMakeTags", constretto.evaluateTo("HTMLFilter.alwaysMakeTags", Boolean.TRUE));
}});
...
String input = ...
String clean = new HTMLFilter( CONFIGURATION ).filter(input);
Here the property values in my-constretto-file.ini are comma separated, except for HTMLFilter.vAllowed which is semi-colon separated. Each value is then a comma separate list, the first item being the element name allowed and subsequent items being the attributes allowed within that element.