I have a web application which accept html template from my users to render a specific page as they like to see it. I made some conventions for rendering dynamic contents for them like using ${news} for rendering the latest news:
I said them for see the latest news put the ${news} tag between your html tags like this:
<div style="desiredStyle">
<forEach varStatus="item" items=${news} >
<div>
<p>${item.title}</p>
<p>${item.content}</p>
</div>
</forEach>
</div>
anyways I want to prevent them from using any other JSTL or JSP tag other than my defined params ex: ${news} to prevent data leak and XSS attack.
The question is how can I allow usage of html tags and javascript codes in my <textarea> input element and prevent malicious JSTL and JSP Scriptlet codes?
Is there any library for these purposes?
