How do I safely insert potentially malformed HTML into a JSF page?

1
votes

I'm working on a JSF page that needs to have the corporate privacy policy updated. Rather than copy-and-paste the new text, I'd prefer to have the PrimeFaces dialog that displays it link to the privacy policy elsewhere. So, I'm doing this:

    <p:dialog id="dlgPrivacyPolicy">
        <ui:include src="https://cdn.mycompany.com/privacy/en-us/privacy.htm"/>
    </p:dialog>

The problem is, the HTML on that page is slightly malformed; there's a <meta> tag that isn't closed. This causes my JSF page to fail to compile.

I could track down whoever maintains that page and ask them to correct it, but that's a band-aid. If any more malformed HTML shows up on that page, it will crash mine. And having my page fail to load because the privacy policy didn't close a tag just isn't acceptable.

Is there a safe way for me to insert potentially malformed HTML into my page? Or am I stick with copying and pasting if I really want to avoid that issue?

3
jsf
I think you know better than this. The ideal solution is that the broken page should be fixed. In fact you page should crash. If you put in a fix that will handle malformed HTML you are just aiding and abetting bad coding practices. You page crashing because of someone else bad code is absolutely acceptable. What is unacceptable is someone writing malformed HTML. Coding is more than just punching code, it is also about writing good code at every level. Hold your developers to a higher standard and your code quality will improve. The Band Aid is the fix you are looking to implementmyqyl4
No, the ideal solution is that the broken page should be fixed and STAY fixed. The first I can do. The second is completely beyond my control; I'm a small fish in a very large pond here, with no power to dictate coding standards to the rest of the company. And if somebody omitting a closing </meta> on a static HTML page crashes my application, that's on me.BlairHippo

3 Answers

3
votes

If you don't want xhtml compilation problem, you should not include the malformed page in server side but in client side, for example by running ajax request on it and include it by using innerHtml attribute of the dlgPrivacyPolicy div. Using JQuery :

$.ajax({
    url: "https://cdn.mycompany.com/privacy/en-us/privacy.htm"
})
.done(function( html ) {
    $( "#dlgPrivacyPolicy " ).html( html );
});
1
votes

Considering your requirements (mentioned in your question and comments) I'd suggest to use jsoup: You can fetch the html content server-side, sanitize it and then use the sanitized content on your page. The sanitizing step is completely up to you (and jsoup's great capabilities) which can include removing unused/unsafe parts of the page (i.e. headers, css etc) as required.

0
votes

I'm afraid that including a complete HTML page verbatim is always going to be painful. There's the risk of malformed HTML, or the page might do funny things like overwrite CSS styles, pollute global Javscript scope or whatever.

I think the only clean, maintainable solution will be to agree on some kind of (web) service that provides the privacy policy in a well-defined format (HTML, XHTML, whatever) suitable for inclusion elsewhere. This also makes sure the provider of the privacy policy does not suddenly decide to change the URL, or include a popup or similar. The important point is that the service is an official service with agreed-upon rules.

If you cannot get that service, you'll have to find workarounds. The best I can think of would be to filter the policy through some tolerant HTML parser on your side to fix it (at runtime, or as part of the build). Then you can also fix things like over-eager CSS rules or bad Javascript, as applicable.