function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
MG ConsultingMG Consulting 




I need to use escape="false" in some of our app's Visualforce pages in order to allow the display of HTML stored in the database. Per SFDC's Security Review of our app (and for good reason), I must sanitize this HTML. Unfortunately, SFDC does not yet provide any built-in methods to do so, therefore, one must roll their own solution.


Any ideas on the best way to go about implementing this?


Thanks a lot,


String.replaceAll is probably the best way to do this. Your specific solution will depend on where you are merging text into the page. Usually, it is sufficient to encode ampersands ( & ), less than ( < ), and greater than ( > ), since ampersands start "character entities", and the other prevents tag encoding. Other than that, most other characters should be safe in HTML to emit directly (if not necessarily standards-compliant). I hope this suggestion helps you.
MG ConsultingMG Consulting

Thanks for the reply sfdcfox. I don't think I was entirely clear. If I simply omitted escape="false" as an attribute on my apex:outputText tag SFDC would automatically escape all HTML characters presenting the HTML to the user as plain text. Thus, the escaping you describe below is already built into SFDC by default.


I'm purposely setting escape="false" because I want the HTML from the database to render in the user's browser, not appear as plain text. This works just fine but does not pass SFDC's Security Review (for good reason).


Unfortunately, SFDC does not yet provide any built in methods to sanitize HTML, i.e. possibly by allowing only certain white listed HTML tags.


I was wondering if anyone else had run into this same issue and thus already built some apex logic to handle this situation. If not, I love some suggestions on how to best implement it.


Thanks a lot,



Hi Mike, I'm having the same issue. I need to show the unescaped html in my page becuase i rendered it as a doc file.

I tried to use a inner class to wrap the object and avoid mapping directly the field from the database, but without luck...

Do you stil have the issue?




Use HTMLENCODE utility method in the visualforce page.