zoukankan      html  css  js  c++  java

  • Java对html标签的过滤和清洗

    OWASP HTML Sanitizer 是一个简单快捷的java类库,主要用于放置XSS

    优点如下:

      1.使用简单。不需要繁琐的xml配置,只用在代码中少量的编码

      2.由Mike Samuel(谷歌工程师)维护

      3.通过了AntiSamy超过95%的UT覆盖

      4.高性能,低内存消耗

      5.是 AntiSamy DOM性能的4倍

    1.POM中增加

            <!--html标签过滤-->
        <dependency>
            <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
            <artifactId>owasp-java-html-sanitizer</artifactId>
            <version>r136</version>
        </dependency>

    2.工具类

    import org.owasp.html.ElementPolicy;
import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;

import java.util.List;

/**
 * @author : RandySun
 * @date : 2018-10-08  10:32
 * Comment :
 */
public class HtmlUtils {

    //允许的标签
    private static final String[] allowedTags = {"h1", "h2", "h3", "h4", "h5", "h6",
            "span", "strong",
            "img", "video", "source",
            "blockquote", "p", "div",
            "ul", "ol", "li",
            "table", "thead", "caption", "tbody", "tr", "th", "td", "br",
            "a"
    };

    //需要转化的标签
    private static final String[] needTransformTags = {"article", "aside", "command","datalist","details","figcaption", "figure",
            "footer","header", "hgroup","section","summary"};

    //带有超链接的标签
    private static final String[] linkTags = {"img","video","source","a"};
    public static String sanitizeHtml(String htmlContent){
        PolicyFactory policy = new HtmlPolicyBuilder()
                //所有允许的标签
                .allowElements(allowedTags)
                //内容标签转化为div
                .allowElements( new ElementPolicy() {
                    @Override
                    public String apply(String elementName, List<String> attributes){
                        return "div";
                    }
                },needTransformTags)
                .allowAttributes("src","href","target").onElements(linkTags)
                //校验链接中的是否为http
                .allowUrlProtocols("https")
                .toFactory();
        String safeHTML = policy.sanitize(htmlContent);
        return safeHTML;
    }

    public static void main(String[] args){
        String inputHtml = "<img src="https://a.jpb"/>";
        System.out.println(sanitizeHtml(inputHtml));
    }
}

     其中.allowElements(allowedTags)是添加所有允许的html标签,

    以下是需要转化的标签,把needTransformTags中的内容全部转化为div
    //内容标签转化为div
    .allowElements( new ElementPolicy() {
        @Override
        public String apply(String elementName, List<String> attributes){
            return "div";
        }
    },needTransformTags)
    .allowAttributes("src","href","target").onElements(linkTags)是在特定的标签上允许的属性

    .allowUrlProtocols("https")表示href或者src链接中只允许https协议
  • 相关阅读:
    html5 iframe
    html input复选框的checked属性
    H5新特性 本地存储---cookie localStorage sessionStorage
    input获得焦点时,如何让外边框不变蓝
    为了防止页面重新自动加载,可以给a标签设置href="javascript:void(0);"
    函数内部声明变量的时候,一定要使用var命令。如果不用的话,你实际上声明了一个全局变量!闭包访问局部变量
    svg
    js面向对象编程
    图片压缩上传
    jQuery的deferred对象详解
  • 原文地址:https://www.cnblogs.com/qizhelongdeyang/p/9884716.html
Copyright © 2011-2022 走看看