欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  web前端

用Jsoup对用户输入内容的HTML安全过滤_html/css_WEB-ITnose

程序员文章站 2022-05-29 20:44:28
...
在网站使用input或textarea提供给用户可输入内容的功能,比如发帖子,发文章,发评论等等。这时候需要后端程序对输入内容作安全过滤,比如" + "";String safe = Jsoup.clean(unsafe, Whitelist.relaxed());System.out.println("safe: " + safe);

官方API地址: http://jsoup.org/apidocs/org/jsoup/safety/Whitelist.html

发现来源:

http://www.oschina.net/question/12_10232 , 据此自己写了个自定义的帮助类:

package com.cssor.safety; import org.jsoup.Jsoup;import org.jsoup.helper.StringUtil;import org.jsoup.safety.Whitelist; public class ContentSafeFilter {	private final static Whitelist user_content_filter = Whitelist.relaxed();	static {		//增加可信标签到白名单		user_content_filter.addTags("embed","object","param","span","div");		//增加可信属性	user_content_filter.addAttributes(":all", "style", "class", "id", "name");		user_content_filter.addAttributes("object", "width", "height","classid","codebase");		user_content_filter.addAttributes("param", "name", "value");		user_content_filter.addAttributes("embed", "src","quality","width","height","allowFullScreen","allowScriptAccess","flashvars","name","type","pluginspage");	} 	/**	 * 对用户输入内容进行过滤	 * @param html	 * @return	 */	public static String filter(String html) {		if(StringUtil.isBlank(html)) return "";		return Jsoup.clean(html, user_content_filter);		//return filterScriptAndStyle(html);	} 	/**	 * 比较宽松的过滤,但是会过滤掉object,script, span,div等标签,适用于富文本编辑器内容或其他html内容	 * @param html	 * @return	 */	public static String relaxed(String html) {		return Jsoup.clean(html, Whitelist.relaxed());	} 	/**	 * 去掉所有标签,返回纯文字.适用于textarea,input	 * @param html	 * @return	 */	public static String pureText(String html) {		return Jsoup.clean(html, Whitelist.none());	} 	/**	 * @param args	 */	public static void main(String[] args) {		String unsafe = "
1
" + "用Jsoup对用户输入内容的HTML安全过滤_html/css_WEB-ITnose" + "

Link" + "" + "" + "

"; String safe = ContentSafeFilter.filter(unsafe); System.out.println("safe: " + safe); } }

Jsoup不支持相对路径图片的过滤,比如用Jsoup对用户输入内容的HTML安全过滤_html/css_WEB-ITnose会被去掉src属性,想了个简单的方法避免:

/** * 自定义对用户输入内容进行过滤的标签 * @param html * @return */public static String filter(String html) {    if(StringUtil.isBlank(html)) return "";    String baseUri = "http://baseuri";    return Jsoup.clean(html, baseUri, user_content_filter).replaceAll("src=\"http://baseuri", "src=\"");}

http://cssor.com/jsoup-whitelist-clean-html-for-user-content.html