New ESAPI function sanitizeHTML() ESAPI


Sanitizes unsafe HTML input and removes elements and attributes like JavaScript, onclick, etc.
Based on

Which is similiar but different to getSafeHtml() which uses antisamy (currently unimplemented, see [LDEV-838] - Lucee)


sanitizeHtml(string string,[any policy]):string




The arguments for this function are set. You can not use other arguments except the following ones.

Name Type Required Description
string string Yes string to sanitize
policy any No Either a org.owasp.html.PolicyFactory or a String with built in Sanitizers. If omitted then all of the built-in policies are applied. The built in Sanitizers are:

Already bundled in 5.3.9 RC3, local reference


Nice. I’m a big fan of java html sanitizer.

I assume we would be building policies?

Is there a simple way to get an empty policy builder? or would it just be recommended to do something like?
var policyBuild = createObject( "java", "org.owasp.html.HtmlPolicyBuilder" )

add your rules, and then call .toFactory()?

I would recommended that if no policy was passed, that it default to nothing allowed (an empty policy), rather than all the built ins. Ie, imo, it should only allow elements on purpose.


Wow! Fantastic!

Used getSafeHTML() a lot in my CF code and am migrating to Lucee now.

Just saved me a bunch of time! THANK YOU!


Curious… is there any way we can “alias” this so that a call to getSafeHTML actually calls sanitizeHtml in Lucee?

I’d love to be able to use my CF code base on either server, especially while I’m migrating back and forth.


Is it feasible to upgrade a la carte to the newer owasp-java-html-sanitizer-20220608.1.jar or best to wait for the next bundled release of Lucee or the ESAPI extension?

can you file a bug in jira requesting the update? needs a bit of java plumbing

1 Like

I will email Andrew Dixon today for an account.

thanks for creating the ticket

please always post a link back to the thread if you create a ticket, I have updated the ticket title too, just “upgrade” isn’t very helpful!

I did include a link, but only embedded in the Description. Thanks for the tip. I’ve never used Jira and it appeared that Issues referred to Jira issue dependencies and didn’t see documentation about using the “Add web link” option for linking to Dev Forum topics. I have added that link now.

Weird. I don’t remember exactly what I entered for the title, but I’m fairly certain it was more than just one word (terseness is definitely not my modus operandi haha) and that I specifically mentioned OWASP Java HTML Sanitizer. I followed the example set by Michael Offner re: “Upgrade database drivers”.

So I don’t know how the title was truncated, but thanks for editing it.

The first line of the Description appears truncated as well. I would have included at least a colon as that is my style. Mentioning just in case there are bugs in Jira.

After reading the automated email from Jira showing the diffs, most likely not bugs in Jira. I must have been tired and intended to finish the title after entering the description. Woops! :flushed:

1 Like